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This paper introduces a novel technique to decide the satisfiability of formulae written in the language of 
Linear Temporal Logic with Both future and past operators and atomic formulae belonging to constraint 
system T> (CLTLB(X>) for short). The technique is based on the concept of bounded satisfiability, and 
hinges on an encoding of CLTLB(X>) formulae into QF-EUI5, the theory of quantifier-free equality and 
uninterpreted functions combined with T>. Similarly to standard LTL, where bounded model-checking and 
SAT-solvers can be used as an alternative to automata-theoretic approaches to model-checking, our approach 
allows users to solve the satisfiability problem for CLTLB(D) formulae through SMT-solving techniques, 
rather than by checking the emptiness of the language of a suitable automaton A.$. The technique is effective, 
and it has been implemented in our Zot formal verification tool. 
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1. INTRODUCTION 

^ Finite-state system verification has attained great successes, both using automata-based and logic - 

q based techniques. Examples of the former are the so-called explicit-state model checkers | |Holz-| 

1 mann 1997] and symbolic model checkers [Clarke~et al. 1996"[. However, some of the best results 
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have been obtained by logic-based techniques, such as Bounded Model Checking (BMC) |Biere| 
et al. 1999|, a fully automated (although potentially incomplete) procedure. In BMC, a finite-state 
machine A (typically, a version of Biichi Automata) and a desired property P expressed in Propo- 
sitional Linear Temporal Logic (PLTL) are translated into a Boolean formula </> to be fed to a SAT 
solver. The translation is made finite by bounding the number of time instants. However, infinite 
behaviors, which are crucial in proving, e.g., liveness properties, are also considered by using the 
well-known property that a Biichi Automaton accepts an infinite behavior if, and only if, it accepts 
an infinite periodic behavior. Hence, chosen a bound k > 0, a Boolean formula (p^ is built, such 
£^ that cf>k is satisfiable if and only if there exists an infinite periodic behavior of the form a/3", with 

| a/3 1 < k, that is compatible with system A while violating property P. This procedure allows coun- 
terexample detection, but it is not complete, since the violations of property P requiring "longer" 
behaviors, i.e., of the form a/3" with |a/3| > k, are not detected. However, in many practical cases 
it is possible to find bounds large enough for representing counterexamples, but small enough so 
$J] that the SAT solver can actually find them in a reasonable time. 

Clearly, the BMC procedure can be used to check satisfiability of a PLTL formula, without con- 
sidering a finite state system A. This has practical applications, since a PLTL formula can represent 
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both the system and the property to be checked (see, e.g., |Pradella et al. 2012 1, where the transla- 
tion into Boolean formulae is made more specific for dealing with satisfiability checking and metric 
temporal operators). We call this case Bounded Satisfiability Checking (BSC), which consists in 
solving a so-called Bounded Satisfiability Problem: Given a PLTL formula P, and chosen a bound 
fc > 0, define a Boolean formula <fik such that <fik is satisfiable if, and only if, there exists an infinite 
periodic behavior of the form a/3", with \af3\ < fc, that satisfies P. 

More recently, great attention has been given to the automated verification of infinite-state sys- 
tems. In particular, many extensions of temporal logic and automata have been proposed, typically 
by adding integer variables and arithmetic constraints. For instance, PLTL has been extended to 
allow formulae with various kinds of arithmetic constraints [Como n and Cortier 20 00; Dem ri and| 



|D'souza 2002[ . This has lead to the study of CLTL(2?), a general framework extending the future- 
fragment of PLTL by allowing arithmetic constraints belonging to a generic constraint system T>. 
The resulting logics are expressive and well-suited to define infinite-state systems and their proper- 
ties, but, even for the bounded case, their satisfiability is typically undecidable [Demri and Gascon] 
2006|, since they can simulate general two-counter machines when T> is powerful enough (e.g., 
Difference Logic). 

However, there are some decidability results, which allow in principle for some kind of automatic 
verification. Most notably, satisfiability of CLTL(X>) is decidable (in PSPACE) when T) is the class 
of Integer Periodic Constraint s (IPC*) ||Demri and Gascon 2007| , or when it is the structure {D, < 
, =) with D e {N,Z,Q,R} [Demri and D'Souza 2007]. In these cases, decidability is shown by 
using an automata-based approach similar to the standard case for LTL, by reducing satisfiability 
checking to emptiness verification of Biichi automata. Given a CLTL(2?) formula <fi, with T> as in 
the above cases, it is in fact possible to define an automaton such that (/> is satisfiable if, and only 
if, the language recognized by Aj, is not empty. 

These results, although of great theoretical interest, are not well suited for a direct implementa- 
tion, since the involved constructions are very inefficient. 

In this paper, we extend the above results to a more general logic, called CLTLB(2?), which is 
an extension of PLTLB (PLTL with Both future and past operators) with arithmetic constraints in 
constraint system T>, and consider a procedure for satisfiability verification that does not rely on 
automata constructions. This procedure is implemented in the Zot toolkiQ verified by standard 
SMT-solvers, such as z3 [Mi crosoft Res earch 2009). 

The idea of the procedure is to verify satisfiability by checking a finite number of fc-satisfiability 
problems. Informally, fc-satisfiability amounts to looking for ultimately periodic symbolic models of 
the form a/3", i.e., such that prefix a/3 of length fc admits a bounded arithmetic model (up to instant 
fc). Although the fc-bounded problem is defined with respect to a bounded arithmetical model, it 
provides a finite representation of infinite symbolic models by means of ultimately periodic words. 
When CLTLB(2?) has the property that its ultimately periodic symbolic models, of the form a(3 u , 
always admit an arithmetic model, then the fc-satisfiability problem can be reduced to satisfiability 
of QF-EU2? (the theory of quantifier-free equality and uninterpreted functions combined with T>). 
In this case, fc-satisfiability is equivalent to satisfiability over infinite models. 

Symmetrically to standard LTL, where bounded model-checking and SAT-solvers can be used 
as an alternative to automata-theoretic approaches to model-checking, reducing satisfiability to fc- 
satisfiability allows SMT-solvers to be used in solving satisfiability for CLTLB(2?) formulae, instead 
of checking emptiness of a Biichi automaton. Moreover, when the length of all prefixes a/3 to be 
tested is bounded by some finite K, then the number of bounded problems to be solved is also 
bounded. Therefore, we also prove that fc-satisfiability is complete with respect to the satisfiability 
problem, i.e., by checking at most K bounded problems satisfiability of CLTLB(2?) formulae can 
always be answered. 

The paper is organized as follows. Section [2] describes CLTL(2?) and the richer language 
CLTLB(P), and their main known decidability techniques and results. Section [3] defines the fc- 



1 http : //zot . googlecode . com 
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satisfiability problem and the actual Boolean encoding of a CLTLB(P) formula is presented in 
Section|4] Section [5] shows the correctness of the encoding. Section [6] proves that, provided that T) 
satisfies suitable conditions, the procedure of Section [4] always terminates, due to the existence of 
a completeness threshold. Section [7] describes relevant related works. Finally, Section [8] concludes 
the paper highlighting some possible applications of the decision procedure for CLTLB(2?) imple- 
mented in the Zot automated verification tool. 



2. PRELIMINARIES 



This section presents an extension to Kamp's |Kamp 1968 1 PLTLB, by allowing formulae over a 
constraint system. As suggested in | Comon and Cortier 2000[ , and unlike the approach of ]Demri| 
2004|, the propositional variables of this logic are Boolean terms or atomic arithmetic constraints. 



2.1. Language of constraints 

Let V be a finite set of variables; a constraint system is a pair T) = (D, 1Z) where D is a specific 
domain of interpretation for variables and constants and 1Z is a family of relations on D that is 
closed under complement. An atomic V-constraint is a term of the form R(x±, . . . , x n ), where R 
is an n-ary relation of 1Z on domain D and xi, . . . ,x n are variables. A 2?-valuation is a mapping 
v : V — > D, i.e., an assignment of a value in D to each variable. A constraint is satisfied by a 
/^-valuation v, written v \=t> R(x±, . . . , x n ), if (v(xi), . . . , v(x n )) € R. 



In Section 5.1 we consider V to be Integer Periodic Constraints (IPC*) or its fragments (e.g., 
(Z, <, =) or (N, <, =)) and (D, <, =) when < is a dense order without endpoints, e.g., D = R, Q. 
The language IPC* is defined by the following grammar, where £ is the axiom: 

Z:=0\x<y\SAZ\^ 
9:=x= c d\x= c y + d\ x = y\ x<d\x = d\ 9A9\->0 



where x, y € V, c e N + and d g Z. The first definition of IPC* can be found in [Demri and Gascon 
2005|; it is different from ours since it allows existentially quantified formulae (i.e., := 3x 9) 



to be part of the language. However, since IPC* is a fragment of Presburger arithmetic, it has the 
same expressivity as the above quantifier-free version (but with an exponential blow-up to remove 
quantifiers). Its restriction IPC ++ is the language defined by considering 9, rather than £, as the 
axiom in the above grammar. 

Given a valuation v, the satisfaction relation \=x> is defined: 

— v \=v x ~ y iff v(x) ~ v(y); 

— v \—v x ~ d iff v(x) ~ d; 

— v \—x> x = c d iff v(x) — d = kc for some k e Z; 

— v \=t> x = c y + d iff v(x) — v(y) — d = kc for some k E Z; 

— v hx> 6 A ^ 2 iff v \=v Ci and v \=v &, 

— v \=v -^S, iff v ty=T> C; 

where ~ is either = or <. A constraint is satisfiable if there is a valuation v such that v \=-& £. Given 
a set of IPC* constraints C, we write v \—v C when v \=j> £ for every £ G C. 



2.2. Syntax of CLTLB 

Let T> = (D,1Z) be a constraint system. CLTLB(2?) is defined as an extension of PLTLB, where 
atomic formulae are relations from 1Z over arithmetic temporal terms defined in T>. The resulting 
logic is actually equivalent to the quantifier-free fragment of first-order LTL over signature 1Z. Let 
x be a variable, arithmetic temporal terms (a.t.t.) are defined as: 

a ;= c | x | Xa | Ya. 
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where c is a constant in D and x denotes variables over D. The syntax of (well formed) formulae of 
CLTLB(P) is recursively defined as follows: 

4> := R(ai, a n ) \ (f> A 4> \ ^<f> \ Xcj> | Y<P | <pVcP I ^<P 

where aj's are a.t.t.'s, R E 7Z, X and Y are the usual "next" and "previous" operators from LTL, as 
well as the usual "until" U and "since" S operators. Notice that X and X are two distinct operators, 
with similar meaning. If is a formula, X0 has the known meaning as in PLTL, while Xa, where a 
is an a.t.t., denotes the value of a in the next time instant. The same holds for Y and Y, which refer 
to the previous time instant. Thanks to the obvious property that, for each h> k, X h Y k x = X ll ~ k x 
and Y h X k x = Y x, in the following we will assume, with no loss of generality, that a.t.t.'s do 
not contain any nested alternated occurrences of the operators X and Y. Each relation symbol is 
associated with a nonnegative integer denoting its arity. As we will see in Section [5] we can treat 
separately 0-ary relations, whose set is denoted by TZq. We also write CLTLB(2?, TZq) to denote 
the language CLTLB over the constraint system T> whose 0-ary relations are exactly those in TZq. 
CLTL(2?) is the future fragment of CLTLB (I?) such that only X, X and U occur in formulae. 
The depth \a\ of an a.t.t. is the total amount of temporal shift needed in evaluating a: 

\x\=0, |Xa| = |a| + 1, |Ya| = |a|-l. 

Let cp be a CLTLB(2?, TZq) formula, x a variable of V and T x ((f>) the set of all a.t.t.'s occurring 
in cp in which x appears. We define the "look-forwards" \(p~\ x and "look-backwards" \jp\ x of cp 
relatively to x as: 

\4>] x = max {0, \ai\}, [(f>\x= min {0, \ai\}. 

The definitions above naturally extend to V by letting \(p~\ = max x6 y{ [^^j, [<p\ = 
mina; 6 y{L0Ja;}. Hence, \cp~\ ([(p\) is the largest (smallest) depth of all the a.t.t.'s of 4>, representing 
the length of the future (past) segment needed to evaluate <fi in the current instant. 

2.3. Semantics 

The semantics of CLTLB(2?, TZq) formulae is defined with respect to a strict linear order represent- 
ing time (Z, <). Truth values of propositions in TZq, and values of variables belonging to V are 
defined by a pair (it, a) where aiZxV^Disa function which defines the value of variables at 
each position in Z and 7r : Z — > p(7Zo) is a function associating a subset of the set of propositions 
with each element of Z. The value of terms is defined with respect to a as follows: 

a) — a(i + \a\, x a ) 

assuming that x a is the variable in V occurring in term a. The semantics of a CLTLB(P, TZo) for- 
mula <f) at instant i > over a linear structure (it, a) is recursively defined by means of a satisfaction 
relation |= as follows, for every formulae (j>, ip and for every a.t.t. a: 

{-K,a),i |=pOp£ n(i) forp e TZq 
(ir,a),i \= R{a 1 , ...,a n )<$ (<r(i + \a>i\,x ai ), ...,a(i+ \a n \,x a J) e R 
(tt, a), i |= ^<j)^f (%, a), i ^ <f> 
(7r, ct), i |= 4> A ip (tt, cr),i \= </>and (7r, a),i \= ip 
(tt, a), i \= X</> <^ (n, a), i + 1 |= <j) 
(tt, a),i |= Yep <^(TT,a),i-l\=<j)Ai>0 
(tt, <j),i |= (pXlip 3 j > i : (-K,a),j \= ij) A (tt, a), n |= <fi V i < n < j 
(tt, a), i \= (pSip 3 < j < i : (tt, a),j \= ip A (tt, a), n \= (p V j < n < i 

where x ai is the variable that appears in cti, and R € 1Z \ TZo. 
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Notice that X and X are two distinct operators, with similar meaning. If <j> is a formula, X</> has 
the known meaning as in PLTL, while Xa, where a is an a.t.t., denotes the value of a in the next 
time instant. The same holds for Y and Y but they refer to the previous position over time. 

A formula 4> G CLTLB(2?, TZq) is satisfiable if there exists a pair (tt, <j) such that (tt, a), |= 4>; 
in this case, we say that (-7T, a) is a model of <j>, tt is a propositional model and cr is an arithmetic 
model. By introducing as primitive the connective V, the dual operators "release" R, "trigger" T 
and "previous" Z are defined as: cfiRip = -^(^(pXJ^ip), <f)Tip = -^(^(j>S^ip) and Zcf> = —iY—i(f>; 
by applying De Morgan's rules, we may assume every CLTLB formula to be in positive normal 
form, i.e., negation may only occur in front of atomic propositions while negated 2?-constraints are 
avoided by means of their complement relations. 



2.4. CLTL with automata 

In this section, we recall some known results where the propositional part tt of (tt, u) is either 
missing or can be eliminated. It is proved that, for some constraint system T> more expressive than 
IPC*, the future fragment CLTL(2?) can encode runs of a class of Turing equivalent two-counter 
automata called Minsky machines. Minsky machines are finite state automata endowed with two 
positive integer counters c\ , C2 which can be either incremented or decremented by 1 and tested 
against over transitions. Any formalism which is able to simulate such class of machines inherits 
the full expressiveness and undecidability properties of Turing machines. To represent increment 
and decrement instructions the grammar of formulae £ of IPC* must be enriched with formulae of 
the form x < y + d, where d 6 D and x, y are two variables. Such a language is called difference 
logic, which we denote by DL + (DL is the fragment without modulo operator =/,). Hereafter, we 
write CLTL!j(2?) to denote the language of CLTL formulae such that the cardinality of set V of 
variables is a and the length \(f>~\ is equal to b([(f>\ = 0). 

The first undecidability result for the satisfiability of CLTL is given by Comon and Cortier 
[Comon and Cortier 2000| Theorem 3] who show that halting runs of a Minsky machine can be 
encoded into CLTLg(DL) formulae where one auxiliary counter encodes control states of the sys- 
tem labeling instructions. Therefore, the satisfiability problem for CLTLg(DL) is Ej-hard. The 
authors suggest a way to regain decidability by means of a syntactic restriction on formulae includ- 
ing the U temporal operator. The "flat" fragment of CLTL^(DL) consists of CLTL formulae such 
that subformula (f> of (pXJip is T, _L or a conjunction £1 A • • • A £ m where Q € DL. The fragment has 
a nice correspondence with a special class of counter system (flat relational counter system) with 
Biichi acceptance condition for which the emptiness problem is decidable. Satisfiability is undecid- 
able also in the case of CLTLf(DL) and CLTL^DL). In fact, even though CLTLf (DL) has only 
one variable, it is expressive enough to encode runs of Minsky machines. Models of CLTL^(DL) 
formulae can represent counter c\ at even positions and counter C2 at odd positions. The recurr ence 



problem for nondeterministic Minsky machines, which is Ej-hard | Alur and Henzinger 1994) , can 
be reduced to the satisfiability problem for CLTL^(DL), which then results to be EJ-hard. From 
previous undecidability results, the satisfiability problem for the CLTL language over two integer 
variables CLTL^DL) is S}-hard. Formulae of CLTL^(DL) can be syntactically translated to for- 
mulae of CLTL^DL) by means of a map / such that </> belonging to CLTL^(DL) is satisfiable 
if, and only if, f(4>) belonging to CLTL^DL) is satisfiable. Both the languages CLTL^(DL) and 
CLTL^DL) are also S}-complete by reducing the S}-hard model-checking problem to satisfiabil- 
ity. 

The satisfiability (and mo del-checking) problem for C LTL over structure ( D, <, =) with D € 



{N,Z ,Q,R} is studied in jDemri and D'Souza 2007| , and for IPC* in pemri and Gascon 
2007 1 . Decidability of the satisfiability problem for the above cases is shown by means of an 
automata-based approach similar to the standard case for LTL. Satisfia bility for CLTL^(IPC* 



and CLTL£(<, =) over N, Z, Q, R is obtained by Demri and Gascon in [ Demri and Gascon 2005 1 
by reducing the problem to the emptiness problem for Biichi automata. Given a CLTL formula <ft, it 
is possible to define an automaton such that (j> is satisfiable if, and only if, Jz? (.4^) is not empty. 
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Since the emptiness of J£{A§) in the considered structures is decidable with PSPACE upper bound 
(in the dimension of <fi), then the satisfiability problem is also decidable with the same complexity. 

Hereafter, we restrict T> to be the structure defined by IPC*, or by (£>,<,=), where D G 
{N, Z,Q,R}. We briefly recall some useful notions which we use in the following sections and 
which are essential to develop our decision procedure without automata construction. We will sim- 
ply write CLTL to denote CLTL^. In order to represent exactly models of a CLTLB(2?) formula 
<fi (without the Y temporal modality over variables) by means of automata, we need to represent 
symbolically all models a such that a |= (p. 

Let cj) be a CLTLB(2?) formula and terms (<fi) be the set of arithmetic terms of the form X*x for 
all < i < \(fi\ and for all x G V. If domain D is discrete, let const(<p) — {m, . . . , M} be the 
set of constants occurring in <j>, where m, M G D are the minimum and maximum constants. We 
extend const(cf>) to the set const' ((f)) — [to, M\ of all values between m and M. Constant K is the 
l.c.m. of constants occurring in periodic constraints x = c y and x = c y + d. 

A set of ^-constraints over terms((f>) is maximally consistent if for every 2?-constraint 9 over 
terms(<j>) U const((f>), either 6 or -^9 is in the set. 

Definition 2.1. A symbolic valuation sv for is a maximally consistent set of 2?-constraints 
over terms(4>) and const((j>). 



The original definition of symbolic valuation for IPC* constraint systems in |Demri and Gascon 
2005 1 is slightly different. There, it is defined as triple a (Si, S2, £3) where Si is a maximally 
consistent set of 2?-constraints over terms(<fi) and const(4>); S2 is a set of constraints of the form 
x = d and 53 is a set of periodic constraints x =k c. Our definition of symbolic valuations does 
not consider sets S2 and S3 because they are inherently represented by the /c-bounded arithmetical 
models defined in Section[3] In other words, "explicit" assignments to variables from do not 
require to be symbolically represented by a symbolic constraint of the form x = d. 

The set of all symbolic valuations for <\> is denoted by SV(<j>). To define the satisfiability of a 
symbolic valuation, each a.t.t. is considered as a new fresh variable. Let A be a set of variables 
and / : terms(4>) — >• A an injective function mapping each a.t.t of cj> into a fresh variable in 
set A. Function / is naturally extended to every symbolic valuation sv for 0, by replacing each 
a.t.t. a 6 terms{4>) in sv with /(a). Symbolic valuations for are now defined over the set 
f (terms(cf))) . A symbolic valuation sv for <f> is satisfiable if there exists a T> -valuation v' : A — » D, 
such that v' \=t> f(sv), i.e., satisfiability of sv considers all a.t.t.'s as fresh variables. 

Given a symbolic valuation sv and a 2?-constraint £ over a.t.t.'s, we write sv |=^== £ if for every 
^-valuation v' such that v' [=x> f{sv) then v' \=x> /(£)• We assume that the problem of checking 
sv f= £ is decidable. The satisfaction relation (== can also be extended to sequences of symbolic 
valuations; it is the same as \= for all temporal operators except for atomic formulae: 

Then, given a CLTLB(2?) formula (f>, we say that p symbolically satisfies <fi (or p is a symbolic model 
for 4>) when p, f= cj). 

Definition 2.2. A pair of symbolic valuations (svi, SV2) for cf> is locally consistent if, for all R 
in V: 

R(X ll xx, . . . ,X in x n ) G svi implies i?(X il_1 a;i, . . . ,X in ~ 1 x n ) G sv 2 

with ij > 1 for all j G [1, n]. A sequence of symbolic valuations svqsvi ... is locally consistent 
if all pairs (svi, svi + i), i > 0, are locally consistent. 

A locally consistent infinite sequence p : N — >• SV(<fi) of symbolic valuations admits an arithmetic 
model, if there exists a 2?-valuation sequence 77 such that ?/, i \= p(i), for all i > 0. In this case, we 
write 77, |= p. 

The following fundamental proposition draws a link between the satisfiability by sequences of 
symbolic valuations and by sequences of 2?-valuations. 
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Proposition 2.3 ([De mri and D'Souza 2007Q . A CLTL(T>) formula <p is satisfiable if, 
and only if, there exists a symbolic model for </> which admits an arithmetical model, i.e., there exists 
p and a such that p, |= 4> & n d o, |= p. 

Following |Demri and D'Souza 2007], for constraint systems of the form (D, <, =), where < is 
a strict total ordering on D, it is possible to represent a symbolic valuation sv by its labeled directed 
graph G sv = {V, t C V x {<, =} x V}, such that (x, ~, y) <E t if, and only if, x ~ y € sv. This 
construction extends also to sequences: given a sequence p of symbolic valuations, it is possible 
to represent p via the graph G p obtained by superimposition of the graphs corresponding to the 
symbolic evaluations p(i). More formally G p = (V x N, r p ), where ((x, i), ~, (y,j)) G r p if, and 
only if, either i < j and (x ~ X J ~ 4 y) € or i > j and (X l_ - ? a; ~ y) € 

An infinite path d : N — > F x N over G p , is called a forward (resp. backward) path if: 

(1) for all i e N, there is an edge from d(i) to d(i + 1) (resp., an edge from d(i + 1) to d(i)); 

(2) for all j e N, if = (x,j) and d(z + 1) = (a;',/), then j < j'. 

A forward (resp. backward) path is strict if there exist infinitely many i for which there is a <- 
labeled edge from d(i) to d(i + 1) (resp., from d(i + 1) to d(i)). Intuitively, a (strict) forward 
path represents a sequence of (strict) monotonic increasing values whereas a (strict) backward path 
represents a sequence of (strict) monotonic decreasing values. 

Given a CLTL(2?) formula <fi, it is possible [Demri and D'Souza 2007 1 to define a Biichi automa- 



ton recognizing symbolic models of <j>, and then reducing the satisfiability of <j) to the emptiness 
of A.<h. The idea is that automaton A& should accept the intersection of the following languages, 
which defines exactly the language of symbolic models of cj>: 

(1) the language of LTL models p; 

(2) the language of sequences of locally consistent symbolic valuations; 

(3) the language of sequences of symbolic valuations which admit an arithmetic model. 



Language (1) is accepted by the Vardi-Wolper automaton A s of <j> (| Vardi and Wolper 1986 1), 

while language (2) is recognized by the automaton At = (SV(<p) . svp : — », SV (</))), where s vj ^> 
svi+i if, and only if, all pairs (s«j, sUj+i) are locally consistent ( ]Demri and D'Sou za 2007 1). 

If the constraint system we are considering has the completion property (defined next), then any 
sequences of locally consistent symbolic valuations admit an arithmetic model, and condition (3) 
reduces to (2). 

2.4.1. Completion property. Each automaton involved in the definition of A$ has the function of 
"filtering" sequences of symbolic valuations so that 1) they are locally consistent, 2) they satisfy 
an LTL property and 3) they admit a (arithmetic) model. For some constraint systems, admitting a 
model is a consequence of local consistency. A set of relations over D has the completion property 
if, given: 

( i) . a symbolic valuation sv over a finite set of variables H C V , 

(ii) . a subset H' C H, 

(Hi), a valuation v' over H' such that v' \= sv', where sv' is the subset of atomic formulae in sv 
which uses only variables in H' 

then there exists a valuation v over V extending v' such that v \= sv. An example of such a rela- 
tional structure is (R, <, =). Let (D, <, =) be a relational structure defining the language of atomic 
formulae. We say that D is dense, with respect to the order <, if for each d,d' € D such that d < d! , 
there exists d" 6 D such that d < d" < d' . Whereas D is said to be open when for each d E D, 
there exist two elements d', d" € D such that d' < d < d" . 

Lemma 2.4 (Lemma 5.3, QDemri and D'Souza 20071 ). Let (£),<,=) be a relational 
structure where D is infinite and < is a total order. Then, it satisfies the completion property if, 
and only if, domain D is dense and open. 
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The following result relies on the fact that every locally consistent sequence of symbolic valuations 
with respect to the relational structure T> admits a model. 

PROPOSITION 2.5. Let T> be a relational structure satisfying the completion property and 4> be 
a CLTL(T>) formula. Then, the language of sequences of symbolic valuations which admit a model 
is u-regular. 

In this case the automaton A^ that recognizes exactly all the sequences of symbolic valuations 
which are symbolic models of 4> is defined by the intersection (a la Biichi) A$ — A s H Ae- 

In general, however, language (3) may not be w-regular. Nevertheless, if the constraint system is 
of the form (D, <, =), it is possible to define an automaton Ac that accepts a superset of language 
(3), but such that all its ultimately periodic words are sequences of symbolic valuations that admit 
an arithmetic model. Actually, Ac recognizes a sequence p of symbolic valuations that satisfies the 
following property: 

PROPERTY 2.6 (C). There do not exist vertices u and v in the same symbolic valuation in G p 
satisfying all the following conditions: 

(1) there is an infinite forward path dfrom u; 

(2) there is an infinite backward path efrom v; 
(5) d or e is strict; 

(4) for each i, j € N, whenever d(i) and e(J) belong to the same symbolic valuation there exists 
an edge, labeled by <,from d(i) to e(j). 

Informally, property C guarantees that in the model there does not exist an infinite forward path 
whose values are infinitely often less than values of an infinite backward path; in other words, an 
infinite strict/non-strict monotonic increasing sequence of values can not be infinitely often less than 
an infinite non-strict/strict monotonic decreasing sequence of values. 

The proposed method is general and it can be used whenever it is possible to build an automaton 
Ac which defines a condition C guaranteeing the existence of a sequence a such that a, \= p. 
In particular, for constraint systems IPC*, (N, <, =), and (Z, <, =), Ac can effectively be built. If 
Aa, is defined as the (Biichi) product of Ai,A s , Ac, and, since emptiness of Biichi automata can be 
checked just on ultimately periodic words, the language of is empty if, and only if, <fi has not a 
symbolic model. 

When the condition C is sufficient and necessary for the existence of models a such that <r, |= 
p, then automaton A^ represents all sequences of symbolic valuations which admit a model a. 
A fundamental lemma, on which Proposition |2.8| below relies, draws a sufficient and necessary 
condition for the existence of models of sequences of symbolic valuations. 

LEMMA 2.7 ( QDemri AND D'SOUZA 2007[ ). Let p be an u-periodic sequence of symbolic 
valuations of the form p = that is locally consistent. Then p admits a model a if, and only if, p 
satisfies C. 

Therefore, the satisfiability problem can be solved by checking the emptiness of the language 
recognized by the automaton A$. 

Proposition 2.8 ( QDemri and D'Souza 20071 ). A CLTLCD) formula is satisfiable iff the 
language ££{A$) is not empty. 

The next section provides two syntactic translations needed to obtain, from CLTLBfD, Tvlo) for- 
mulae, equisatisfiable CLTLB(2?) formulae without occurrences of the temporal modality Y and of 



0-ary relations. The two reductions are essential to take advantage of Proposition 2.5 and Lemma 
|2.7| which allow us to define the decision procedure based on "bounded" satisfiability of Section[3] 
In particular, we define the bounded satisfiability problem which consists in looking for ultimately 
periodic symbolic models such that prefix af3 is of fixed length (which is provided as input of 
problem); moreover, we require that a/3 admits a finite model o^. Therefore, we show that when a 
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formula is boundedly satisfiable then it is also satisfiable. We provide a (linear-space) reduction 
from the bounded satisfiability problem to the satisfiability of formulae in the quantifier-free theory 
of equality and uninterpreted functions QF-EUF combined with T). 

3. BOUNDED SATISFIABILITY PROBLEM 

In this section, we provide the definition of the fc-satisfiability problem for CLTLB(2?) formulae 
in terms of the existence of a so-called fc-bounded arithmetical model o^, which provides a finite 
representation of infinite symbolic models by means of ultimately periodic words. This allows us 
to prove that fc-satisfiability is still representative of the satisfiability problem as defined in Section 



2.3 In fact, for some constraint systems, a bounded solution can be used to build the infinite model 
a for the formula from the fc-bounded one Ck and from its symbolic model. We show that a formula 
4> is satisfiable if, and only if, it is fc-satisfiable and its bounded solution can be used to derive its 
infinite model a. In case of negative answer to a fc-bounded instance, we can not immediately entail 
the unsatisfiability of the formula. However, we prove that for every formula <p there exists an upper 
bound K, which can effectively be determined, such that if <fi is not fc-satisfiable for all fc in [1, K] 
then <j> is unsatisfiable. 

We first define the Bounded Satisfiability Problem (BSP), by considering bounded symbolic mod- 
els of CLTLB(2?) formulae. A bounded symbolic model is, informally, a finite representation of in- 
finite CLTLB(2?) models over the alphabet of symbolic valuations SV (<fi). We restrict the analysis 
to ultimately periodic symbolic models, i.e., of the form p — a(/3) w . BSP is defined with respect to 
a fc-bounded model Cfc : { , . . . , fc 4- [</>]} x V — > D, a finite sequence p' (with \p'\ = k + 1) of 
symbolic valuations and a fc-bounded satisfaction relation defined as follows: 

ffc, \=k p' iff Ofc, i \= p'{i) for all < i < fc. 

The k- satisfiability problem of formula <fi is defined as follows: 

Input. A CLTLB(2?) formula 0, a constant fc G N 

Problem. Is there an ultimately periodic sequence of symbolic valuations p = (with 
\af3\ — fc + 1), such that p, [= 4> and which admits a fc-bounded model at such that au \=k p\ 
with p' = aj31 

Since the length fc is fixed, the procedure for determining the satisfiability of CLTLB(2?) formulae 
over bounded models is not complete: even if there is no accepting run of automaton when p' 
as above has length fc, there may be accepting runs for a larger p' . 

Definition 3.1. Given a CLTLB(2?) formula <fi, its completeness threshold K^, if it exists, is the 
smallest number such that <f> is satisfiable if and only if <f> is i^-satisfiable. 

4. AN ENCODING FOR BSP WITHOUT AUTOMATA 

In this section, we prove that the BSP for a CLTLB(2?) formula can be reduced to the satisfiabil- 
ity of a quantifier-free formula in the theory EUF U T> (QF-EU2?), where EUF is the theory of 
Equality and Uninterpreted Functions, provided that T> includes a copy of N with the successor 
relation and that EUF U V is consistent. The last condition is easily verified in the case of the 
union of two consistent, disjoint, stably infinite theories (as is the case for EUF and arithmetic). 



In | Bersani et al. 2010] a similar approach is described for the case of Integer Difference Logic 



(DL) constraints. It is worth noting that standard LTL can be encoded by a formula in QF-EU2? 
with D = (N, <). In this case, the encoding is more succinct than the Boolean one proposed in 
I Biere et al. 2006) . The encoding presented below represents ultimately periodic sequences of sym- 



bolic valuations p of the form svqsvi . . . svi oop -i(svi oop . . . svk)". To do this, we use a positive 
integer variable loop for which we require sv/ oop _i = sv^. Therefore, we look for a finite word 
p' = svosvi . . . svi oop -i(svi oop . . . svk)svi oop of length fc + 2 representing the ultimately periodic 
model above. Instant fc + 1 in the encoding is used to correctly represent the periodicity of p by 
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constraining atomic formulae (propositions and relations) at positions loop and k + 1. Moreover, all 
subformulae of at positions loop — 1 and k must be the same. 

Encoding terms. We introduce an arithmetic formula function to encode all terms in the set 
terms(4>). To do so an uninterpreted function a : Z — > D is associated with each arithmetic 
temporal term a <E terms(<p). Let a be such a term, then the arithmetic formula function associated 
with it (denoted by the same name but written in boldface), is recursively defined with respect to a 
finite sequence of valuations a k as: 



a 


< i < k 


i = k 


X 

Xa 1 


x(i) = a k (i,x) 
a(i) = a'(i + 1) 


a(k) 


x(k) = a k (k,x) 

= a k (k + \a'\ + l,x a r) 



a 


< i < k + 1 


i = 


Ya' 


ct(i) = a'{i — 1) 


"(0) = a k (\a'\ - l,x a >) 



Conjunction of the above subformulae gives the formula \ArithConstraints\ k . Implementing 
\ArithConstraints\h is straightforward. In fact, the assignments of values to variables are de- 
fined by the interpretation of the symbols of the QF-EU2? formula. The values of variables x at 
positions before and k, i.e. in intervals [[0J , —1] and [k + 1, k + \ </>]], are defined by means of 
the values of terms a = X l x and a = Y l x. For instance, the value of x at position > i > [<j>\ is 
o k (i, x) but it is defined by the assignment for term a = Y l x at position 0. 

Encoding relations. The formula \PropC onstraints\ k encodes atomic subformulae 6 contain- 
ing relations over a.t.t.'s. Let R be an n-ary relation of 1Z that appears in </>, and ai, . . . a n be a.t.t.'s. 
We introduce a formula predicate : N — > {true, false} for all R(a\ , . . . , a n ) in (j>: 



9 


0<i<k+l 


R(an, . 


■ ,a n ) 


9{i) & R{on{i), . . . ,a„(i)) 



Encoding formulae. The truth value of a CLTLB formula is defined with respect to the truth 
value of its subformulae. We associate with each subformula 9 a formula predicate that is a unary 
uninterpreted predicate (denoted by the same name but written in boldface) 6 : N — >• {true, false}. 
When the subformula 9 holds at instant i then 6(i) holds. As the length of paths is fixed to k + 1 
and all paths start from 0, formula predicates are actually subsets of {0, . . . , k + 1}. Let 9 be a 
subformula of (f>, formula predicate 6 is recursively defined as: 



9 


< i < k + 1 


—lip 


6{i) ->tp(i) 


■01 A 02 


6{i) & ^(i) A -0 2 (i) 



Then, the conjunction of the formulae above is also part of formula \PropConstraints\ k . The 
temporal behavior of future and past operators is defined by using their traditional fixpoint charac- 
terizations: 



9 


< i < k 


X0 

0lU0 2 
^lR/02 


(Va(*)V(^i(*)A0(i + l))) 
0(*)<»(lM*)A(^i(i)V0(i + l))) 






< i < k + 1 


i = 


Y0 

0lS0 2 
0lT0 2 


Y^(i) ^> -0(i - 1) 
(ViS^aX*) ^ (^a(i) V (ViW A (ViS^ 2 )(i 
(ViTV 2 )W (^a(i) A (Vi(i) V (ViTT/> 2 )(i 


-1))) 
-1))) 


_L 

(-0!S^ 2 )(O)^-0 2 (O) 
(ViT^ 2 )(0)^^ 2 (0) 



The conjunction of the above formulae gives formula \TempConstraints\ k . 
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Encoding periodicity. To represent ultimately periodic sequences of symbolic valuations we use a 
positive integer variable loop encoding periodicity of svqsvi . . . svi oop -i(svi oop . . . svk)^ for which 
we require sw/ oop _i = sv^. Formula \LoopConstraints\k below is defined by means of a Loop- 
selecting variable loop £ N that takes values in [1, fc] when the loop exists, which corresponds to 
the position where the periodic part of (svi oop . . . svk) starts. Let 9 be an n-ary relation R £ 1Z. 
Then, periodicity is encoded by the following formula: 

/ \ 



A 



(loop = i) 



V 



Oil, 



A 

8£K 

, a n £ terms((f>) 



0(i - 1) = 00) 



/ 



Informally, if the value i of variable loop is between 1 and k, then there exists a loop which starts 
at i. The formula loop = i is well defined in QF-EU(N, <). 

Last state constraints (\LastStateConstraints\k) define an equivalence between truth values 
at point fc + 1 and truth values at the point indicated by the loop variable, since the instant fc + 1 
is representative of the instant loop along periodic paths. Otherwise, for non-periodic paths, truth 
values in k + 1 are trivially false. These constraints have a similar structure as those in the original 
Boolean encoding, but here they are defined by only one constraint for each subformula 8 of cj), w.r.t. 
the variable loop: 

[Atiiioop = *) =► (e(k + 1) em) A 



;aLx 



t(Ioop 



-.0(/c+l) 



Eventualities for U and R. To correctly define the semantics of U and R, their eventualities 
have to be accounted for. Briefly, if tpi\Jtp2 holds at i, then ip2 eventually holds in some j > i; 
if V'iRV'2 does not hold at i, then ifa eventually does not hold in some j > i. Along finite paths 
of length fc, eventualities must hold between and fc. Otherwise, if there is a loop, an eventuality 
may hold within the loop. The original Boolean encoding introduces fc propositional variables for 
each subformula 8 of <fi of the form ipiU^ or ip{Elip2 (one for each 1 < i < k), which represent 
the eventuality of tfj 2 implicit in the formula, as first defined in |Biere et al. 2006 1. Instead, in the 
QF-EU2? encoding, only one variable £ D is introduced for each ip2 occurring in a subformula 

4iiXJip2 or '0iR'02; let £ be a shorthand for \l\ = i{loop = i): 



8 




t/'lU</'2 


£ 




> loop < 




V^lR-02 


£ = 


> (-6>(fc) = 


> loop < j^, 2 


< k A ^ 2 (j> 2 )) 



The conjunction of all the constraints for all the subformulae 8 of <p constitutes the formula 

\Eventually\k- 

The complete encoding \(f>\k of <f> consists of the logical conjunction of all above components, 
together with (f> evaluated at the first instant of time. 

5. CORRECTNESS OF THE BSP ENCODING 

In this section, we provide a proof o f cor rectness of the encoding defined in Section 4] We split the 
proof into two parts: with Theorem 5.8 we show that the encoding \<j)\k of a formu a <fi represents 
ultimately periodic runs of automaton A s x Ae introduced in Section [2~4] In Theorem |5.9| we focus 
on the fact that fc-satisfiability is strictly related to the existence of ultimately periodic runs of au- 
tomaton A s x Ae- Finally, we are able to relate the satisfiability of \4>\k to fc-satisfiability. The next 
lemmata are useful to prove Theorem |5. 8 1 They are essential for our approach because they state 
how fc-bounded models Ok are representative of ultimately periodic sequences of symbolic valu- 
ations, which are symbolic models of the formula. In other words, by Lemma 153] we can build a 
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sequence of symbolic valuations from the sequence a^. Moreover, if the symbolic sequence satisfies 
additional constraints enforcing periodicity of relations in 7Z, we can derive from <Jk an ultimately 
periodic symbolic model. 

It is worth noting that BSP is defined with respect to sequences of symbolic valuations whereas 
the encoding considers only atomic subformulae R occurring in <fr. By definition, symbolic valua- 
tions are maximally consistent sets of 2?-constraints over the set of terms terms((p) occurring in the 
formula. Maximal consistency of sets guarantees that set SV(<p) is a partition of D> v >. Therefore, 
any finite sequence of ^-valuations induces a finite sequence of symbolic valuations of length k. 

We consider the following assumption A mc , which guarantees that maximally consistent sets of 
relations partition the space D n , where n is the cardinality of the set V of variables. 

Assumption (A mc ). For all m > such that there is an m-ary relation R m £ 1Z and for all 
v £ D m , there exists a unique relation R such that v \=x> R- 

LEMMA 5.1. Let T> be a constraint system satisfying assumption (A rnc ), <p be a CLTLB(T>) 
formula and v be a V-valuation extended to terms appearing in symbolic valuations of SV((j>). 
Then, there is a unique symbolic valuation sv such that v \=-p sv. 

Proof. We build a symbolic valuation from the values in v. We include R(ai, . . . , a n ) in sv 
when v \=x> f(R(ot\, . . . , a n )). We have to show that sv built in this way is maximally consistent. 
Consistency is immediate by the fact that if v \=u f(R(cti, . . . , a n )) then it can not hold that v \=t> 
f(—iR(a±, . . . , a„)). We prove maximality by showing that if sv is not maximal then there exists 
a relation which should not belong to sv but, by construction, must also be in sv, thus producing a 
contradiction. Let us suppose that there is a relation R' which is not in sv such that v \=v f{R')- 
Moreover, let us suppose that sv U {R 1 } is consistent; i.e., v \=t> sv U {R}. By construction, as we 
include R(a\, . . . , a n ) in sv when v \=x> f(R(ai, . . . , a n )), there is a relation R" , in sv, over the 
same set of terms of R' . By assumption (A mc ), we have R' — R", because, otherwise, in constraint 
system T> we have two different relations, R' and R" , over the same set of terms and such that 
v \=v f{R') an d v \=v f(R")< where v is an assignment of values in D to terms in terms{4>). This 
contradicts the uniqueness assumption in (j4 mc )). □ 

COROLLARY 5.2. Let <f> be a CLTLB(T>) formula, v a T)-valuation extended to terms of sym- 
bolic valuations and sv a symbolic valuation in SV((f>). Then, for v \=z> sv and for all relations 

ReTZ 

sv (== R(a>i,. ..,«„) iffv \= v f(R(ai, . . .,«„)). 

Proof. Let us suppose that sv |== R(a±, . . . , a n ). By definition, sv |== R(a%, . . . , a n ) if 
for every 25-valuation v' over the set of terms within sv such that v' |=p sv it holds that v' \=t> 
f(R(a\, . . . , a n )). Therefore, we have immediately that v \=x> f(R(a\, . . . , a n )). The converse is 
an immediate consequence of Lemma [5TT] □ 



LEMMA 5.3. Let (j)be a CLTLB{T>) formula and Uk be a finite sequence of T> -valuations. Then, 
there exists an unique locally consistent sequence p £ SV((j)) k+1 such that o~k, i \= p(i), far all 
i £ [0, k]. 



Proof. By Lemma 5.1 we have that, for all i £ [0, k], the assig nment of variables defined by 
o~k is such that <Jk : i p p(i) and p(i) is unique. By Corollary 5.2 values in <?f. from position i 



satisfy a relation R at position i if, and only if, R belongs to symbolic valuation p(i) at position 
i, i.e., p(i) |== iff ak,i p f(R)- We have to show local consistency between two adjacent 
symbolic valuation. Let us consider p(i) and p(i + 1). It holds that R(X ll xi, . . . ,X ln x n ) £ p(i) 
and R(X Zl ~ 1 xi, . . . , X 1,l ~ 1 x n ) £ p(i+i) by the uniqueness of values in Cfc. In fact, arithmetic term 
X lj Xj evaluated from position i has the same value as X lj ~ 1 Xj evaluated from position i + 1. □ 
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It is worth noting that by definition of \PropConstraints\k, \ ArithConstraints\k (see Section 
[4]), when \ 4>\k is satisfiable we obtain a model <j% that defines a value for all variables in [\_4>\, k+ \<j)}] 
and a unique symbolic model p £ SV(4>) k+1 . 

Before presenting the core result of this section, which shows the correctness of the encoding of 
Section|4] we introduce two further intermediate results; these allow us to build our correctness re- 
sult on the automata-based construction for CLTLB(2?) formulae introduced in | De mri and D' Souza] 
[20071 . 

More precisely, we provide the following two reductions: 

I. CLTLB(2?, IZo) formulae can be rewritten into CLTLB(P) formulae, 

77. CLTLB(2?) formulae can be rewritten into CLTLB(2?) formulae without Y operators. 

Removing 0-ary relations 

According to the definition given in Section 2.2 CLTLB(2?) is the language CLTLB where atomic 
formulae belong to the language of constraints in T>, which may contain also 0-ary relations. In this 
case, atomic formulae are propositions p € TZq or relations over terms R(ai, . . . , a n ). Any positive 
occurrence of an atomic proposition p G IZo in a CLTLB formula can be replaced by an equality 
relation of the form x p = 1. Then, a formula of CLTLB (T>, IZo) can be easily rewritten into a 
formula of CLTLB (2?) preserving the equivalence between them (modulo rewriting of propositions 
in IZo)- We define a rewriting function r over formulae such that a, |= <f> if, and only if, 9, |= 
r((f>) Aip where 9 is the same as a except for new fresh variables x p representing atomic propositions 
and ijj is a formula restricting values of variables x p in {0, 1}. 

Let us suppose TZq = {p\, . . . ,p n } to be a finite ordered set of propositions, cj> a CLTLB(2?, IZo) 
formula and V the set of variables occurring in <f>. Let us define Vji = {x Pl , x Pn } as the set of 
variables representing propositions in IZo such that V<~) Vjz — 0- We define r : CLTLB(2?, TZq) —> 
CLTLB (2?) as the function that maps a formula <p to a formula <$>' identical to <f> except for all 
occurrences of any proposition pin <fi being replaced in 0' by the equality x p = 1. 

Removing propositions is a syntactic rewriting which acts on formulae. We also provide a syntac- 
tic rewriting function r mo d e i which acts on models a of CLTLB (V, 1Zq) formulae which replaces 
occurrences of propositions p g 1Zo with x p € Vr . Let 9 = r mo dei(^, u) be a sequence (Z}l v l+™) u 
of valuations of variables in V U Vr ; i.e., 9 : Z x V U {x pi , x Pn } — > D is the rewriting of a 
and 7r defined as follows: 

9(i, x) = a(i, x) for all x € V, for all [<fi\ < i 

9(i, x p ■ ) = I 1 Pj t for all j 6 [1, n] and for all i > 0. 

[0 pj $ n(i) 

PROPOSITION 5.4. Let 4> be a CLTLB(D, 1Z ) formula where 1Z = {pi, . . . ,p n }. Then, 
(tt, a), |= <f) if, and only if, 



9, |= r(cf>) A G(/\ (x Pi = 1) V {x Pi = 0)) 



where 9 = r rno dei(^, c). The proof can be found in Appendix 9.1 



Removing Y operators 

Suppose the formula <fi contains some a.t.t. of the form Y l x. Note that in this case we have \J>\ < 0. 
We define p : CLTLB(2?) — > CLTLB(2?) as the function that maps a formula <fi to an equisatisfiable 
formula cf>' that does not contain any occurrence of the Y operator. The formula (/>' is identical to 
except for all a.t.t.'s of the form X J a; in (j) being replaced in 4>' by X'^L^Jx, and a.t.t.'s of the form 
Y l x being replaced by Y 4+ L<^J x . 

Formally, it can happen, in the transformation above, that some indexes of Y operators become 
negative (e.g., if [cf>\ = —3, then ^(Y 1 ^) is replaced by Y~ 2 ). Then we stipulate that Y~ l = X* 
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(in the previous example, Y~ 2 becomes X 2 ). As a consequence, given a CLTLB(2?) formula <j>, it is 
easy to see that Y does not occur in p(<f>). The equisatisfiability of formulae <\> andp(0) is guaranteed 
by moving the origin of by — [<j)\ instants in the past. Since only X occurs in p(<fi), then models 
for CLTLB(2?) formulae without Y are now sequences of 2?-valuations a : N x V — > D. 

Proposition 5.5. Let 4>be a CLTLB(V) formula, then a, |= 4> f, L^J h p(4>)- 

The proof can be found in Appendix |9.2| 

Rewriting function p naturally extends to the set SV(cj)) of symbolic valuations to define a new 
set SV'(4>) of symbolic valuations sv' such that all P-formulae of sv' £ SV'(<f>) consist of relations 
R £ 1Z of future terms of the form X l x with i > 0. It is worth noting that the following corollaries 
hold for generic sequences of symbolic valuations p. 

COROLLARY 5.6. Let p be a sequence of symbolic valuations such that s < is the minimum 
value i occurring in terms of the form Y l x and a is a sequence of T> -valuations. Then, 

o", j= p iff a,s\=p(p). 

Proof. The proof is a consequence of the base case in proof of Proposition |5.5| for all atomic 
formulae R(ai, . . . , a n ) in symbolic valuations constituting p. □ 

COROLLARY 5.7. Let <p be a CLTLB(T>) formula and p be a sequence of symbolic valuations. 
Then, 

P ,0^ iff p(p),O\^=p(0). 



The proof can be found in Appendix 9.3 
Correctness 

We now have all necessary elements to prove the correctness of our encoding. We start by show- 
ing the equivalence of the satisfiability of \<fi\f. with the existence of ultimately periodic runs of 
automaton A s x Ai- 

THEOREM 5.8. Let <f> £ CLTLB(T>) with N definable in T> together with the successor relation, 
|0|fe is satisfiable with respect to k £ N if, and only if, there exists an ultimately periodic run 
p = a/3" (\a/3\ = k + 1) of A s x At accepting symbolic models of (p. 

Before proving the theorem we provide the definition of models for QF-EUP formulae. Domain 
D and the interpretation of relations are constrained by T>. A model Al is a pair (D,I) where I is 
an interpretation defined as the mapping: 

— for all function symbols a a function associating, for each position of time, an element in domain 

D, 1(a) : N -> D, 

— for all predicate symbols 9 a function associating, for each position of time, an element in 

{true, false}, 1(9) : N — > {true, false}. 

Provided that D contains a copy of N, then, given an interpretation I, the values for all formula 
functions a and predicate functions 9 encoding terms and subformulae of a CLTLB(2?) formula are 
known. Interpretation I trivially induces a model ■ { [<fi\ , • • ■ ,k + \(f>~\} : V —> D. 

In the following proof, we will use the notion of "accepting subrun" of the Biichi automaton 
obtained by the standard construction of | |Vardi and Wolper 1986[ , in the version of [Demri and 



D'Souza 2007 1 . Let be a CLTLB(2?) formula (without the Y modality over terms). The closure 



of 4>, denoted cl (</>), is the smallest set containing all subformulae of <j) that is also closed under 
negation. An atom T C cl(<p) is a subset of formulae of cl((f) that is maximally consistent, i.e., 
such that, for each formula £ in cf>, either £ £ T or ^£ £ T. A pair (Fi, T2) of atoms is one-step 
temporally consistent when: 

— for every £ cl((j>), then Xif) £ Ti <^ ip £ T 2 , 
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— for every Yip G cl(<f>), then Yip G T 2 tp G Ti, 

— if € Ti, then ^2 G Ii or (ipi € Ti and tpiUip2 G T 2 ), 

— if ipiStp2 e r 2> then 1^2 G T 2 or (^1 G T 2 and ipiSipz G r x ). 

The automaton ,A S = (SV((^>), Q, Qo, ^7 -F 1 ) is then defined as follows: 

— Q is the set of atoms; 

— Qo = {r G Q : <p G T, Yip <£ r for all V G cl{(p),ipiSip2 G T iff ^2 G T}; 

— ri ^Vr a g nm 

— Y 1 \=sv 

— (ri, T2) is one-step consistent; 

— F = {F 1 ,...,F p }, where F, = {V £ Q | £ T or & G T} and {^iUCi , . . . , V P U C P } is 
the set of Until formulae occurring in cl (tp). 

An accepting subrun for 9 6 ci(0) is a finite sequence of atoms Ti, T2, ■ ■ ■ , T m such that: 

„ SUi „ S1I 2 BV m -l „ 
1 1 > 1 2 ? • ■ • > -L m, 

— 8 G Ti, if 8 = X^> or 8 = ipi\Jip 2 ; 

— 6» G T m , if 6 = Yip or 9 = ^iS^ 2 ; 

— r m eFif0 = ViW 2 

Moreover, observe that m = 2 if = X-0 or = Y?/>. 

Proof. We prove the lemma by showing that formula \<p\k represents accepting runs of the 
product automaton of A s , the symbolic Biichi automaton of <p, and At- If formula \<p\k is satisfiable, 
we prove that, given a subformula 9 G cl((p), if 9 holds then there exists a control state of A s x Af, 
defined by an atom T such that 9 G T and which is visited by some initialized run. Observe that the 
encoding of \<p\k defines precisely the truth value of all subformulae 9 of (p m instants i G [0, k]. 
Then, if \<p\h is satisfiable, given an i G [0, fc], the set of all subformulae 

i\ = {y> G ci(0) I if 9 holds in i then <p — 6, else = ^6*} 

is an atom of automaton A s . Let us suppose loop G [l,fc]. The sequence of sets I\ for 
< i < fc is an ultimately periodic sequence of atoms of A s due to the satisfiabil- 
ity of formulae \LastStateConstraints\k and \LoopConstraints\k- We write to denote 
the projection of 2?-constraints in V on symbols of the set A; e.g., if A = {Ri,R 2 } then 
{Ri(x, y), i? 2 (Xa;, Yx), 8\, Q^Wa = {^1(^7 y), R 2 (Xx, Ya;)}. The sequence of atoms is 

7 = r . . .iVi (r* . . . ,r fc ) w 

and such that Tg_i \n is equal to the set of relations of T). \n by formulae in \LoopConstraints\k- 
Moreover, by \LastStateConstraints\k we have r^+i | c /(^) = Ti\ c i^y 

We now show that we can obtain, from an interpretation I satisfying \<p\k, an ultimately periodic 
run which does not contain the Y modality over terms and which is a run of automaton A s x Ae- 



By Proposition 5.4 the truth value of (p is preserved, modulo a rewriting defined by r, by replacing 
0-ary relations (atomic propositions) in interpretation I by formulae of the form either x p = 1 
or x p = 0, where p G TZq. Interpretation 1 can be completed in all positions [<p\ < i < 0, for 
all variables x p G Vr , by assigning an arbitrary value in {0, 1}. In fact, truth values of atomic 
propositions in TZq before do not affect the evaluation of formula <p, by definition of relation \=. 
Then, we are allowed to choose any value to complete the model of variables before 0. Therefore, 
we obtain a model M.' = (D,l') which is a fc-bounded mod el for formula r(<p) where atomic 



propositions are replaced by equality relations. By Lemma 5.3 from 07., induced by I', we have a 
unique locally consistent sequence of symbolic valuations p such that at, \=k p- The sequence p 
of symbolic valuations is such that all atomic propositions p G TZq are replaced by equality relations 
of the form x p = 1, if p G sv, otherwise x p = 0. Observe that, in order to simplify the notation, we 
write <7fc, \=k p even when using rewriting r (and the corresponding r mo d e i), instead of the more 
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precise, but lengthier, r mo d e i{o'k), \=k r(p). Formula \LoopConstraints\k witnesses ultimately 
periodic sequences of symbolic valuations p because it is defined over the set of relations in 1Z and 
all terms of the set terms(4>): 

p = SV ... SVl-i(sVt . . . SVk)^ 



such that svi-i = svf.- By Corollary 5.6 model is such that ak, \_cj)\ |= p(p) where: 



p(p) =p(sv o )l0J ■■■p(s^-i)f-i+L0j(p( s ^)£+WJ ■■■P( sv k)k+[<t>}T 



and p(p),0 \= p(4>), by Corollary 5.7 Position \J>\ is the origin of sequence p(p) of symbolic 
valuations which do not contain the past modality Y over terms. By Proposition [53] we can shift 
the sequence of atoms I\ of [<f>\ positions backward to the past. The new sequence 

p(i) = p(r o )L0j ...p(rVi) £ _i +L0 j (p(ri) i+M ...,p(r fc ) fc+WJ )" 

is such that for each Tj, <7j., |= I\ <^> a^, [4>\ \= p(Tj), where a^, i \= T if, and only if, a^, i \= 8 
for all 6 € T and p{Y) = {p(9) \ 8 € T}. 

Consequently, if the encoding |<^-| of is satisfiable with a finite model M., then ^(7) is an 
accepting run of automaton A s x ^ of formula p{<j>) which recognizes sequences of symbolic 
valuations p(p) such that p((f>) £ p(rp) i^j, p (p), |= p((f>) and Cfc, |_</>J hfc p(p')' wnere p' = 
svq ■ ■ ■ svi^isvi . . . svk- By Propositions |5 ,5| and |5 ,4| from ^(7) and p(p) we can build an accepting 
run To . . . T(^i(Ti . . . T^)" of automaton A s x Ai of <fi recognizing p. In fact, from p(p) we can 
obtain p and from ^(7) we can obtain 7 by means of the inverse rewriting p , Moreover, atomic 
propositions can also be restored by means of the inverse of r. 

Therefore, without loss of generality, let us suppose <\> to be a formula where neither the Y modal- 
ity on terms, nor atomic propositions occur. 

Now, we provide the second step of the proof. More precisely, by induction on the structure of 
formula cf), we prove that for each position < i < k, if 8 L holds in the finite model, i.e., 8i — true, 
then there exists a control state T in automaton A s such that (9; e V. 

Recall that the encoding is such that: 

— ^ioop\ci(<p) = Tfc+ilc;^). The encoding of subformulae (\LastStateC onstraints\k) is such that 
if there exists a loop then for all subformulae 8^+1 9i oop . 

— SVl 00 p-i = SV k - 

— No periodic constraints are defined for the arithmetic model . 

Now, we prove by structural induction on <fi that for < i < k, 8i holds if, and only if, there 
exists a sequence of atoms 1^, . . . , T rn defining an accepting subrun of A s for the formula 9. 
The base case is given on relations formulae 8 = R(ai, . . . , a n ). If 81 holds, with < i < k, then 
there exists a symbolic valuation sv such that svi is satisfiable at the position i and also 8 6 svc 
i.e., sv |== 8, as required in the rule defining the transition relation of automaton A s . Also, there 

are two control states sv' and sv" such that sv^i — sv' sv and sv ^> sv" = sUj+i for i > 1. 
This follows from the consistency of the encoding as considered in the proof of Lemma |5.3| The 
set of subformulae I\ defines an atom constituting a control state of the automaton A s such that 
sv = Ti n SV(4>). Hence, T.; of A s and svi of Ag are such that 8 6 I\, Tj ^> T", for some atom 
T", and sv ^> sv", for some sv" which is locally consistent with sv. 

Then, we proceed with the inductive step by considering all subformulae in cl (cf)). We show that 
for each 8 € cl((j>) it is possible to build an accepting subrun of A s . Therefore, inductively, we have 
<p G T (or, equivalently, p(4>) e p(T )) 

— If 8 = X-0 then for < i < k, 8i tpi+i- By inductive hypothesis, we have that ip G r i+1 . Then, 
by \TempConstraints\k, G Ti, that is 8 £ Ti. Moreover, there are two locally consistent 
symbolic valuations sv, sv' € SV{4>) such that svi — sv —> sv' — svi+i which is a subrun of 
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At- It follows that Yi T i+ i such that si; € Ti n SV(cp) is a subrun of A s for which X.ip e T, 
iff ip € according to the definition of one-step consistent atoms. If i = k, the same arguments 
as above can be used provided that we consider 9t <^> ipi oop and ip £ Ti oop . 

— If 8 = Yip then for 1 < i < k, 9i ipi-i\ in addition 9q <=>_L By inductive hypothesis, we have 
that ip e Ti-i. Then, by \TempConstraints\k, e Tj, that is 6 e I\. Moreover, there are 
two locally consistent symbolic valuations sv, sv' € SV{(j)) such that svi-i = sv —t sv' = svi 
which is a subrun of At- It follows that Ti_i Ti such that sv e r^_i n SV{(j)) is a subrun 
of _4 S for which Yip e Tj iff ^ G Tj-i according to the definition of one-step consistent atoms. 
9 <^>_L defines the initial atom T according to the rule defining initial states of Vardi-Wolper 
automata. 

— If — ipU( then for < i < k, 9i Q V (ipi A (^U£)t+i). Two cases have to be considered. 

— (j holds for some i < j < k. By inductive hypothesis, ( <E Tj, ip € rj...rj_i and 
€ Tj+i . . . Tj. By \TempConstraints\k, = ipU( € IV There is a sequence of locally 

consistent symbolic valuations svi . . . svj such that svi . . . SVj ^ 1 y sv - which is a subrun 

of At. It follows that Ti ^ ... Tj where, for alH < z < j, sv z = T z n SV(<£), 

is a subrun of .4 S for which if ipi\Jip 2 € Tj then ^2 € Tj or (V'l € Tj and ipiXJip2 G T i+1 ) 
according to the definitions of one-step consistent atoms. 

— Otherwise, Q holds for some j, loop < j < i; therefore, from formula: 6k => t < j < k A Q in 
\TemporalConstraints\k and by \LastStateConstraints\k, which enforces 6>fc + i <^ 6 loop , 
9 holds in all positions i+l<z<k+l and also in loop < z < j. Similarly to the previous 
case, we can build the accepting sequence for 9 by considering the positions in the finite model 
where 9 is satisfied. In particular, we consider Tj . . . r fc r ;oop . . . Tj the accepting subrun of 
9 in A s . In fact, by inductive hypothesis, ( e Tj and ip e Tj . . . T k Ti oop . . . r,-_i. Then, 
ip'UC € Tj. The sequence of locally consistent symbolic valuations is svi . . . svkSVi oop . . . svj 

SVi SV k SV loop SVj-! . 

s.t. svi — > ■ ■ ■ > svi oop > ■ ■ ■ > svj is a subrun of At. 

— If = ipSC then for 1 < i < k + 1, 9, <=> Q V (ip, A (^SC)i-i) and also (V'SC)o Co- Then, 
Q holds for < j < i. By inductive hypothesis, ( € Tj, ^ € Tj . . . Ti and e Tj . . . IV-i. 
By \TempConstraints\k, 9 = ipS( e Ti. There is a sequence of locally consistent symbolic 
valuations svj . . . svi such that svj . . . st, '~ 1 > s«i which is a subrun of At- It follows that 

Tj — -> . . . — '—^ Ti where, for all j < z < i, sv z = T z n SV(<p), is a subrun of A s for which 
if ipiSip2 € Ti then t/> 2 € r, or (^1 e Tj and ip{Uip2 € Fj_i) according to the definitions of 
one-step consistent atoms. (^>S£)o Co defines initial atoms T according to the rule defining 
initial states of Vardi-Wolper automata. 

— If 9 = ipH( then for < i < k, 6, d A (ipi V (^RC)i+i). This case can be reduced to the 
analysis of a subformula containing U. In fact, by duality of U and R, -^9 = -i(^R£) = ^ip\J^(. 
Therefore, subruns accepting ^8 are accepting subruns for -^ip\J^(; then, subruns accepting 9 are 
all non accepting subruns for -i^>U-i£. 

— If 6 = ipT( then for 1 < i < k + 1, ^ ipi A V (V>iT<);_i) and (^TC)o ^ Co- This 
case can be reduced to the analysis of a subformula containing S. In fact, by duality of S and T, 
^9 = -i(ipT() = ~^ipS^(. Therefore, subruns accepting ^9 are accepting subruns for -^ipS^(; 
then, subruns accepting 9 are all non accepting subruns for ^ipS^(. 



The case for loop ^ [1, k] can be derived from the previous analysis. The sequence of atoms 
r . . . Tk is a finite run of A s and sequence svo . . . sv k of symbolic valuations is a finite word of 
locally consistent symbolic valuations. If </> can be satisfied by sv . . . sv k then the evaluation of <p 
does not depend on truth values of its subformulae from position k + 1 upwards. Prefix sv . . . sv^. 
can be completed by any sequence in SV(<p) u . In this case, \LastStateConstraints\k enforces _L 
at position fc+1 by constraining all subformulae in cl(<f>) to _L. Consequently, \TempConstraints\k 
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for future formulae X0, tpJJiJj and ifiRip are: 



e 


k 




0(i) 




0(i) if)(i) 


4>Rip 


0(i) <^ i/>(i) A c/>(i) 



In this case, the value at position k of formulae of the form and 0R-0 depends only on the 
truth value of ip and <f> at position k. In fact cfiTJip in k if, and only if, formula ip holds at the same 
position k; whereas cf>Rip in k if, and only if, formula ip and <f> hold at the same position k. The 
analysis of the inductive step is the same as the previous case for loop 6 [1, k] except for: 

— formula 9 — X</> is considered only for positions < i < k; 

— the second case of 9 = 0U£, i.e., d with loop < i < i, is no longer needed. In fact, if a formula 
9 = 4>XJC holds at position i, then Q holds for i < j < k over a finite subrun. 

To conclude the first part of the proof, if \<p\ k is satisfiable then <\> holds at time 0, hence cj) G Tq 
(p(4>) € p(Tq)), where Tq is an initial state of A s because it satisfies \TempConstraints\k at time 
0; then, the sequence of atoms 7 is a periodic accepting run of A s for 0, accepting an ultimately 
periodic symbolic model p. 

Let us now prove that if there is a run in A s x Ae accepting p{4>), then formula \<f>\k is satisfiable 
(again we assume the rewriting induced by r). Let us suppose there exists an ultimately periodic 
symbolic model of length k + 1 which is accepted by A s x At. It is a locally consistent sequence 
of symbolic valuations, p = a/3" of the form: 

p = sv . . . svi oop - 1 (sv loop . . . sv k y 

such that p G Jif(A s x At) and which is recognized by a periodic run of A s x At of the fornj^] 

v = (T , sv ) . . . (Tj 

oop— 1? S^loop— 8 "loop 

For each subformula ^JJQ occurring in <p, subrun (r (oop _i, su ioo p_i)(r ioop , sv loop ) . . . (T k ,sv k ) 
visits control states of the set Fi, thus witnessing the acceptance condition of A s . From v we build 
run 7 of A s : 

7 = r . . . r; oop _i(ri 00p . . . r^.)". 

In particular, p is defined by the projection on the alphabet of SV(p((f>)) of the subformulae occur- 
ring in every r,, for < i < k. Sequence p and its accepting run 7 can be translated by means 
of p~ x in order to obtain a symbolic model for cj). In particular, because p, |== p(<j>) then we ob- 
tain p^ 1 {p), |^== 4>. Similarly, by shifting all formulae in atoms of 7, we obtain an accepting run 
P~ l {l) f° r 4>- The model for \(f)\ k is given by the truth value of all the subformulae in p -1 ^) and 
the values of variables occurring in <fi defining a k can be defined as explained later. In particular, 
we need to complete interpretation I for uninterpreted predicate and functions formulae: given a 
position < i < k, for all subformulae 8 € cl(<fr) we define 

— T{8){i) =true iff 9 e p _1 ( r i)> 
—l{0){i) = false iff -.0 G p" 1 ^). 

The truth value of subformulae ipRC and t/jT( is derived by duality: -i$R£ = ^?AU^C an d 
-iipT£ = -t0S-i^. To complete the interpretation of subformulae at position k + 1 we can use values 
from loop: 1(0) (k + 1) = I (6) (loop). Observe that by taking truth values of subformulae 9 G cl(4>) 
from atoms p -1 ^), \propConstraints\ k are trivially satisfied (atoms are defined by using the 
same Boolean closure in \propC onstraints\ k ). The sequence pof symbolic valuations is consistent 



2 For reasons of clarity, we avoid some details of product automaton As X A-t, which are however inessential in the proof. 
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and all the a.t.t.'s in the encoding of \<j)\k can be uniquely defined by considering at each position i 
a symbolic valuation p^ 1 (svi). Consider the sequence p' = svq . . . svi oop -i(svi oop . . . svk)svi oop . 
The model (Tk{i,x) for each variable x € V and for < i < k + 1 + \(p~\ is defined by an 
edge-respecting assignment of values in D for the graph G p -ii p i\ according to what is suggested 
in | [Demri and D'Souza 20 07 Lemma 5.2]. All a.t.t.'s aj are uniquely defined by considering the 
values of variables in ov We define 1(a), with a = XPx and 1 < j < \<p~\ or a = Y J x and 
1 < J < - L0J : 

I(a)(i) = a k (i + \a\,x) 

for all < i < k + 1. Then, formulae \ ArithConstraints\k are satisfied. Since run v is ultimately 
periodic, then control state (r/ oop , svi oop ) is visited at position k + 1. It witnesses the satisfaction of 
\LastStateConstraints\k formulae, which prescribe that 6k+i Oioop for all 9 g cZ (</>). Finally, 
let us consider \Eventually\k formulae. If subformula <p = ip\5C, belongs to the atom Tfe, then 
there exists a position j > k such that Q holds. Since the model is periodic then k < j < 2k, 
i.e., j is a position in I < < k. Moreover, if -i(ipHQ = -^tpXJ^( belongs to Tfc then there 
exists a position j > k such that holds. As in the previous case I < < k. Hence, the 
\Eventually\k formulae are satisfied. The initial atom Tq is such that Yip ^ Tq and if ^SC € To 
then ( £ Tq, which witnesses the encoding of subformulae Yip and ^SC at 0, i.e., 8q <4>_L and 
^ Co, respectively. □ 

The next theorem draws a link between ^-satisfiability and the existence of an ultimately periodic 
run in automaton A s x Ag. 

THEOREM 5.9. Let <p € CLTLB(T>) with N definable in T> together with the successor relation. 
Formula <j) is k-satisfiable with respect to k £ N if, and only if, there exists an ultimately periodic 
run p = aj3 u of A s X Ai, with \afi\ = k + 1, accepting symbolic models of (p. 

Proof. By definition, if (p is fc-satisfiable, then there is an ultimately periodic symbolic model 



p = such that p, |= (p. By Lemma 5.3 p is locally consistent because there exists a fc-bounded 
model ak such that at \=k ot(3. Therefore, p g ^£{A S x At). 

Conversely, if the language of A s x At is not empty, then the automaton accepts also ultimately 
periodic symbolic models over the alphabet SV((p), whose prefix has the form as/3's, where 
/3 = s/3'. Since sequence apt is a finite prefix of length k + 1 of symbolic model api^ , which admits 
an arithmetic model, then apt admits a fc-bounded model Cfe defined by an edge-respecting labeling 
of the graph G a p. □ 

We can prove the main equivalence result which draws the connection between the encoding and 
the ^-satisfiability problem. 

THEOREM 5.10. Let <p <E CLTLB(T>) with N definable in T> together with the successor relation, 
(p is k-satisfiable with respect to k £ N if, and only if, \(p\k is satisfiable. 

Proof. It is a direct consequence of Theorems |5 . 8 1 and |5 .9 1 □ 



As explained in Section 2.4 each automaton involved in the definition of A$ has the function 
of "filtering" sequences of symbolic valuations so that 1) they are locally consistent, 2) they satisfy 
an LTL property and 3) they admit a (arithmetic) model. As mentioned in Section [2] for constraint 
systems that have the completion property local consistency is a sufficient and necessary condition 
for admitting a model. For these constraint systems A^ is exactly automaton A s x At, and from 



Proposition 2.5 and Theorem 5.10 we obtain the following result. 



PROPOSITION 5.11. Let <p e CLTLB(V) with N definable in V together with the successor 
relation, <p is k-satisfiable with respect to k £ N if, and only if, <p has an ultimately periodic model 
ap3 u with \ap3\ =k + l. 
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Proof. Formula <p is /c-satisfiable if, and only if, \4>\k is satisfiable. Then, bounded model 
(Tfc can be extended to (an infinite model) a, from k forward, by iterating infinitely many times 
the suffix svioop ■ ■ ■ svk and by providing an edge-respecting assignment to all variables in V. 



Proposition 2.5 guarantees that svq ■ ■ ■ svi oop -i(svi oop . . . svk)^ admits a model <x; i.e., a \= 

SV --. SVioop-xisVloop . . . SV k ) U - 

Conversely, if formula tj> is satisfiable, then automaton A$ recognizes a nonempty language in 
SV (</>)"■ From the Biichi acceptance condition, automaton A<f, recognizes also ultimately periodic 
locally consistent sequences of the form a/3" of length k + 1, for some finite k which is bounded 
by the number of control states of Aj,. Then, by considering the prefix af3 we can define an edge- 
respecting labeling of G a f} defining model at- □ 

When constraint systems do not have the completion property, locally consistent symbolic models 
p recognized by automaton A s x A( may not admit arithmetical models a such that a |= p. However, 
for some constraint systems T>, it is possible to define a condition C over symbolic models su ch that 
if p E Jz?(A s x Ai) satisfies C then p admits a model. This problem was already studied by [Demri 



and D'Souza 2007 1 through an automata-theoretic approach. We show in the next section that it is 



possible to encode a condition equivalent to C directly by means of formulae in QF-EUP (when V 
embeds N and the successor function). 

5.1. Checking for Ac 

In this section, we provide a direct encoding of a condition of (non) existence of arithmetical models 
which is equivalent to Property |2.6| on the symbolic model of a CLTLB formula <f>. 

Let A be the length of symbolic valuations in SV((f>) and p be a symbolic model for <f>. We 
introduce the notion of point p = (x, j, h) within p which we use to identify a variable (or a 
constant) x E V U const(<p) at position h within symbolic valuation p(j); i.e., we refer to variable 
x, or constant c, at position j + h of the model. Given a point p = (x, j, h) of p, we denote with 
var(p) the variable x of p, with sv(p) the symbolic valuation j, and with shift(p) the position h 
of x within the j-lh symbolic valuation, also, x(j + h) is the value of variable x in position h of the 
j-th symbolic valuation of p. 

Given a symbolic model p, we call P be the set of meaningful points p of p, i.e., such that 
sv(p) > and shift(p) € [[_<AJ> \<f>~\]'> when the sequence p of symbolic valuations is of finite 
length k + 1, then sv(p) E [0, k + 1], and we indicate the set of points as Pj.. 

Definition 5. 12. We say that there is a local forward path between two points p\ = (x,j, h) and 
P2 = (y, i, tti) of p, written p\ -< p2, when j — i, x(j + h) < y(j + m) and h < m, for x,y E V. 
A local forward path between p\ and p2 is strict, written p\ -< p%, when x(j + h) < y(j + m). 

Similarly, we say that there is a local backward path between two points p\ = (x,j, h) and 
Vi = (Vi h m)> written p\ > P2> when j = i, x(j + h) < y(j + m) and h > m. A local backward 
path between p\ and p^ is strict when x(j + h) < y(j + m). 

Given an ultimately periodic model a/3 u , we say that points p and p' are equivalent, and we write 
p = p', when var(p) = var(p'), sv(p) — sv(p') + k\j3\ and shift(p) = shift(p'), for k > 1. 

Let p = E SV(cf>) be an ultimately periodic symbolic model of tp. The encoding represents, 
by means of a finite representation, infinite, strict and non strict, paths resulting from iterating in- 
finitely many times suffix /3. To do this, we consider the finite path resulting from af3, of length 
k + 1, of the form asf3', with j3 = sf3'. Starting from p(k), we propagate the information about re- 
lations -<, -< among all points representing variables of model p. Forward paths between two points 
Pi,P2 G Pk are represented by proposition F(p±,p2), for the strict relation, and F{p\,p2), for the 
non strict one. Infinite paths can be represented as "symbolic" cycles originating from relations F 
and F within symbolic valuation p(loop) at the position of loop. The condition for the existence of 
arithmetic models of p consists in avoiding the existence of a pair of variables x, x' belonging to the 
same symbolic valuation at position j, in suffix j3, which are part of an infinite strict (resp. non strict) 
forward path and an infinite non strict (resp. strict) backward path such that x(j + h) < x'(j + m), 
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where h, m are positions of variables within symbolic valuations. Before giving the definition of 
F (and F), we require a notion of consistency of path which propagates the information of local 
forward (backward) path from a symbolic valuation at position i to all adjacent symbolic valua- 
tions from position i — 1 to i — [0] . Path consistency between two adjacent symbolic valuations is 
enforced by the following constraint: 

F(p u p 2 ) & F(p[,p 2 ) (1) 
for all pairs pi , p 2 G Pk, where pi — (x,j, h), andp'± is 

\x,j-l,h + i) he [L0J,^1 -i]andje [l,k] 
Xx,j + l,h-l) he [[(/)] + l,\<f>]]mdj e [0,fc-l] 

where p\ represents variable x at position h within symbolic valuation sv(j) and p[ represents the 
same variable at position h + 1 (or h — 1) within symbolic valuation sv(j — 1) (or sv(j + 1)). Not 
only pi has equivalent points but we need also to consider all the equivalent points to p 2 : 

F(pi,p 2 )&F( Pl ,p' 2 ) (2) 

for all pair pi,p 2 € Pk, where p 2 — (x,j, h), and p' 2 is 

'(x,j-l,h + l) fce[|>J,fal -l]andje [l,k] 
Xx,j + l,h-l) he [L0J + 1,^1] and j e [0,k-l]. 



Pi 



Consistency rules for F, B and B are defined similarly. 

To verify the existence of a path between two points pi,p 2 e Pk, we check whether there exists 
a point p e Pk which is locally related to p\ and such that it is connected via a forward path to p 2 . 
First, observe that only "far" points are considered in the definition of F or F. In fact, two points 
pi and p 2 such that \sv(p 2 ) + shift(p 2 ) — (sv(pi) + shift(pi))\ < — [cf)\ + [</>] belong to the 
same symbolic valuation, hence predicate F(pi,p 2 ) (or F) can be derived from the local relation 
X. By means of rules ([TJ, |2| information is propagated towards symbolic valuations in the past 
and the future. For instance, let us consider [0J = — 1, \<f\ = 2 and a variable {x}. Point (x, 3, 2) 
is the same as points {(x, 4, 1), (x, 5, 0), (x, 6, —1)}; then, they have the same property. While for 
Pi = (x, 3, 0) and p 2 — (x, 5, 0) predicate F(pi,p 2 ) is p\ -< p 2 , because p 2 is still a point within 
the symbolic valuation at position 3, F(pi, (x, 4, 2)) has to be defined by checking whether there 
is a local point (i.e. within symbolic valuation p(3)) in relation with p\ which is, in turn, linked to 
(x, 4, 2). This entails that the definition of F or F (and, symmetrically, of B and B) can be given 
only for "far" points that are such that \sv(p 2 ) + shift(p 2 ) — (sv(pi) + shift(pi))\ > —[(f)\ + [</>]. 
Predicates F and F for all points within the same symbolic valuation are defined by local relation 
-< and ^ as follows: 

F(pi,p 2 ) t^p\<p 2 
F{pi,p 2 ) ^P\<p 2 

where sv(pi) = sv{p 2 ) e [0, fc] and shift{p\), shift(p 2 ) e [[<j)\ , \4>]]- Predicates F and F for far 
points are: 

F(pi,p 2 )4* V ((Pi^pA%,p 2 ))V( Pl ^pAf(p,p 2 ))) 

F(p!,p 2 )^ y pi^p/\F(p, P2 ) 

for all pi,p 2 such that sv(p 2 ) = i € [1, fc], sv(pi) e [0,i — 1], \sv(p 2 ) + shift(p 2 ) ~ (sv(pi) + 
shift(pi))\ > —[(f>\ + \<p\, and shift(pi) — Notice that considering shift{p\) = [(f>\ 
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suffices to define correctly predicates F and F. In fact, with reference to Figure [l] all points within 
a symbolic valuation p(i) (with i G [0, k]) are covered by the local relation (pi) (e.g., points (y, i, —1) 
and (y, i,0), where the local relation is represented through a solid line) while for any x, all positions 
from (x,0, to (x, k — 1, [<f)\ ) are covered by Q through argument p\ when sv(pi) G [0, fc— 1] 
and shift(pi) = \_tj>\ (e.g. p\ andj»2 in Figure fl). 



* 

/ 

/ 

/ 


• • 


P14< - 





i — 1 i i + 1 



Fig. 1 . Adjacent symbolic valuations p(i) (solid line) and p(i + 1) (dotted line) of length 2 not covering both far points 
pi = (y, i, — 1) and P2 = ii fo) (with j > i and — 1 < h < 1) of the model. 

In Figure [l] we show how propositions FIF involving points within symbolic valuations (rectan- 
gles) are defined by means of -</^ (continuous line) whereas "far" points require the conjunction of 
a local relation (continuous line) and a relation FIF (thin dotted line). Moreover, when points p\ , p 2 
can not be linked by a forward/backward path, i.e. when sv(p 1 ) + shift(p 1 ) > sv(p 2 ) + shift(p 2 ), 
then: 

F(p!,p 2 ) -L and F{ Pl ,p 2 ) <^ _L . (5) 

We can now define a condition for the existence of infinite paths resulting from iterating infinitely 
many times suffix v of the ultimately periodic model afi^ of </>. Let loop £ [l>k] be the position 
of the loop, i.e., the position of symbolic valuation s in the finite word asj3' representing p. An 
infinite forward (resp. backward) path can be represented as a cycle among variables belonging to a 
symbolic valuation p(loop — 1) = p(k), by means of predicates F and F. 

We define LF(p) (resp. LF) as an abbreviation for the condition of existence of a strict (resp. 
non-strict) cycle (loop forward) on p in symbolic valuation p(loop — 1) (notice that for each p s.t. 
sv(p) = loop — 1 there is only one p' G Pk s.t. p = p', and it is sv(p') = k): 

LF(p) := sv(p) = loop - 1 A Vp' G P k (p = p' => F(p,p')) 

LF(p) := sv(p) = loop - 1 A Vp' G P k (p = p' => F(p,p')). 

PROPOSITION 5.13. Let p = aj3 u G SV{(j)) L0 be an ultimately periodic word, there exists a 
non-strict (resp. strict) infinite forward path in p involving point p, with var(p) G V, sv(p) = 
loop — 1, and shift(p) G [\_(j>\ , if, and only if, LF(p) (resp. LF{p)). 

PROOF. Let us suppose that there exists an infinite (non strict) forward path w in p and the suffix 
j3 is of the form sf3'. We can consider that w starts from s without loss of generality, as a is a finite 
prefix. Let n = \ V\ ■ (— [<p\ + \<f>~\ + 1) be the number of points within symbolic valuations. Let us 
consider the word /?" , where the suffix (3 is repeated n 2 times. Let p t be a point such that sv(p) = i 
and u be the position of an occurrence of s in p and ^* be the transitive closure of ^. We represent 
the sequence of points which are visited by w at each occurrence of s in p as: 

Pu ^* Pu+\!3\ ■<*•"■* Pu+l\f3\ 

where all points p u +i\p\, with / G [0, n 2 ], are in w. Therefore, since the number n of points within 
symbolic valuations at each position of p is finite, then there exists a position j < n 2 such that 

2 

p u = p u +j\p\', i-e-, w, passing through p" s, visits eventually point p u +j\p\ which is equivalent 
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to p u . Hence, by transitivity p u ^* p u +j\f}\- Moreover, let us consider all points q u +i\p\, with 
/ € [0,n 2 ], such that p u = q u +nm. Then, because suffix j3 is iterated and so are all the relations 
between two points belonging to each f3s which occurs in p, and because p u < * p u +j wiwe have that 

q u +i\f3\ di* q u +(i+i)\p\ for all I £ [0, n 2 - 1] where each relation ^* between q u +i\p\ , q u +{i+x)\p\ 
is witnessed by a path within the corresponding occurrence of /3s which is recursively defined as 

Qu+i\p\ d Pu+l\p\ d* Qu+(l+i)\p\> for some Pu+i\p\- By definition of F over the prefix p' = as(3's 
of p we have F(p,p') = p -< p" A F(p" ,p') where points p,p' = p u are representative of all points 
q u +i\f3\, sv(p) = loop - 1 and pi '{loop - 1) = s, sv(p') = k and p'(k) = s andp" = p u+ i\p\. 

Conversely, when F(p,p') holds, with p = (x, loop — 1, h) and p' = (x, k, h) by definition, we 
have: 

F(p,p')&p±p" AF(p",p'). 

Recursively, each term F(p" ,p') entails a path from p" to p' such that p" p 1 . The infinite path 
visits infinitely often all points of the path p — > p" — > • • • — >• p'. Since p = p' and the suffix f3 is 
repeated infinitely often, then the sequence of points p — » p" — > • • • — > p' is visited is infinitely 
many times. Therefore, point p belongs to an infinite forward path along p = aft" . 

In case of infinite strict forward paths, the previous arguments can be adapted as follows. The 
first part of the proof has to be modified in the length of the word /3* which one has to consider to 
find the occurrence of a point in w which is equivalent to p u . By taking t big enough (at most the 
number of all possible paths between two points in f3 for all n 2 pairs of points), it is possible to find 
a suitable position j < t such that p u +j\p\ = Pu- The second side of the implication is proved by 
considering the two cases F(p,p') 4^ p ~< p" A F{p" \p') and F(p,p r ) p -< p" A F(p" ,p'). □ 

Analogously, we can define predicates B, B for backward relations, LB and LB for backward 
cycles. Proposition |5. 13| can be given also in case of backward paths. 

PROPOSITION 5.14. Let p = a/3" e SV (4>) u be an ultimately periodic word. There exists a 
non-strict (resp. strict) infinite backward path in p involving point p, with var(p) £ V, sv(p) = 
loop — 1, and shift(p) £ [[</>J , [</>]], if and only if, LB(p) (resp. LB(p)). 

Our condition for the non existence of an arithmetic model follows immediately from Definition 



2.6 and by previous Propositions 5.13 and 5.14 The condition holds when there exists a symbolic 
valuation p(j), with j £ [loop — 1, k\, such that a strict (resp. non strict) forward path and a non 
strict (resp. strict) backward path are linked together by means of a strict edge <. 

/F( Pl ,p f ) AF(p f ,p 2 ) A T B (p[,p b ,p' 2 ) A (p f ^P b ^P f yp b T 

3pi,P2,p'l,P2,Pf,Pb V 

\ B (Pi,Pb) A B{p bl p 2 ) A T F (pi,p f ,p 2 ) A (p f <p b yp f >p b )/ 

(6) 

where Pi,P2,p[,P^Pf,Pb € p k such that p 1 = p 2 , p[ = p' 2 , Pi ^ p\ and p f ,p b are such that 
sv(p~f),sv(p b ) £ [loop — l,k}. 

Predicates T F (pi,p,p 2 ) and T B (pi,p,p 2 ) formalize the existence of, respectively, strict forward 
and strict backward paths between p\ and p 2 visiting p. They are defined as follows, for all points 
pi,p 2 ,p £ Pk such that sv(pi) = loop — 1, sv{p 2 ) — k and sv(p) £ [loop, k}: 

T B ( Pl ,p,p 2 ) & ((B(pi,p) A B(s,P2)) V (B{p u p) A B(p,p 2 ) 
(pi,P,P2) & ((F(P1,P) A F{p,p 2 )^j V (f( Pi ,p) A F{p lP2 ) 



T 
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Notice that F(jpx,Pf) A F(pf,p 2 ) in |6} implies LF(pi), while T F {px,Pf,p%) implies LF(p 1 ) 
Similarly for LB (pi) and LB(p[). 



Remark 5.15. Though different from Property 2.6 the condition of nonexistence of arithmetic 
models formalized by formula |6]) is equivalent to the former, as discussed in the following. 
We summarize condition |6} to make the comparison easier: 

— there is an infinite forward path / frompi, where sv(pi) = loop — 1 (witnessed by either LF(p 1 ) 
or LF(jpx) implied in |6])); 

— there is an infinite backward path b fromp2, where sv(p 2 ) = loop—1 (witnessed by either LB(p[) 
or LB(p[) implied in (|6])); 

— either / or b are strict; 

— there are two points pf of / and p b of b such that sv(pf) = sv{p b ) and pf -<p b orpf y p b . 

In particular, Part 4 of Property |2.6| is slightly different, since it states that for each i, j 6 N, given 
a forward path d and a backward path e, whenever d{i) and e(j) belong to the same symbolic 
valuation there is an edge labeled by < from d(i) to e(j). In other words, this means that point 
Pd representing d(i) and point p e representing e(j) are such that either pd -< p e (if sv(pd) + 
shift(p d ) < sv(p e ) + shift(p e )) or p d y p e (if sv(p d ) + shift(p d ) > sv(p e ) + shift(p e )). 
Observe that Property |2.6| is defined for a general G p while our condition |6]) is adapted to the finite 
representation of ultimately periodic symbolic models p — 

Let us consider that condition (6j) holds. Therefore, there exists a pair of points pi and p[, such 
that sv(pi) = sv(pi) — loop — l,visited respectively by an infinite forward path, including point 
Pf, and an infinite backward path, including point p b , such that pf -< p b or pf y p b . By transitivity, 
this immediately entails p\ -< p[ or p\ y- p[. Now, we have to consider two cases. Let us consider 
any two points u and v such that sv(u) — sv(v) < sv(pi) (we consider two points in the prefix 
asvi 00 p). If u is connected to p\ by a forward path, i.e., F(u,p\) or F(u,pi), and v is connected 
to p2 by a backward path, i.e., B(v,p2) or B(v,p2), then u -< v or u >- v (and so we obtain 



condition 4 of Property 2.6 1. In the second case, we choose two points u, v belonging to the same 
symbolic valuation in the suffix j3 which are visited by a forward and a backward path, respectively, 
i.e., F(u,p2) or F(u,p2) and B(v,p' 2 ) or B(v,p' 2 ), where p\ = p 2 and p[ = p' 2 . Again, since j3 is 
repeated infinitely many times then it must be u -< v or u >~ v, because there exist a forward path 
from u to p 2 and from p 2 to a point pf = Pf and a backward path from v to p' 2 and from p' 2 to a 
point p b = p b such that pf -<p b oxpj y p b . 

Conversely, if Property |2.6| holds, then there exist a forward path and a backward path which have 



two points pj and p b such that pf -< p b , as shown in the proof of Lemma 6.2 of [Demri and D'Souza 
2007]. Essentially, this is a consequence of the fact that if p does not admit a model, then there are 



two points u, v which can be connected together by a path which contains an infinite number of 
strict relations <. Since p is ultimately periodic, and the number of pairs of points such thatpj ^ p b 
is finite, by choosing an appropriate number of iterations of j3 there must be two equivalent points 
which are connected with by a strict path. This is witnessed by our condition ([6]), in particular, by 
looking for two points pf, p b belonging to a forward path and a backward path which are connected, 
i.e.,pf -< pb or pf y p b . 



We have the next theorem, which extends Proposition 5.11 to constraint system IPC*, which does 
not benefit of the completion property. 

THEOREM 5.16. Let (f> G CLTLB(T>) and T> be IPC* . Then, (j) is k-satisfiable and formula ^ 
does not hold if, and only if formula (f> has a model a(3 u , with \a/3\ = k + 1. 



Proof. By Theorem 



5.10 <p is fc-satisfiable if, and only if, formula \<f>\^ is satisfiable. By hy- 



pothesis of the theorem, formula \<j>\^ induces a model a^. Formula ^ constrains values of model 
Ufe, being a set of formulae over values of variables defined by sequence a/3 of symbolic valuations 
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of length k. By Theorem 5.8 symbolic model p is such that p (= tf>. Finally, s ince formula (jHj does 
not hold then sequence p admits a model a such that a |= (f>, by Proposition 2.7 Model <x can be 



obtained from by iterating suffix v and by providing an edge-respecting labeling of G p . 

Conversely, if formula <f> is satisfiable, then automaton A$ recognizes models which satisfy con- 
dition C. Then, fc-models can be obtained as in the proof of Proposition 5.11 □ 



In order to encode the previous formulae into QF-EU2? formulae, where T> is a suitable con- 
straint system embedding N and having the successor function plus order <, we rearrange the 
formulae above by splitting information, which is now encapsulated in the notion of point, on 
variables and positions over the model. To encode local forward paths we introduce predicate 
fx,y ■ N 3 — > {true, false} for all pairs x, y G V U const(<f>) (and similarly /) to encode rela- 
tion pi -< p 2 (pi X p 2 ) where p x = (x, j, ft) and p 2 = (y, j, to). 



fx,y 




0<j 


< k and ft < to 




< j ' < k and ft > to 


fx 
fx 


y (j,h,m) 
y (j,h,m) 


fx,y 
fx,y 




+ h,x) < a k (j 4 
+ h,x) < (j k (j -4 


-m,y) 
-m,y) 


fx.y < ^-L 
fx,y ^^-L 



for all ft, to G [[4>\, \<f\]- When both x,y E const(<j)) then / x>a <^ x < y and / K4( ^ x < y 
for all < j < fc and ft < to; f XjV <^>_L and <=>_L for all < j < A; and ft > to. Notice 
that the value of <Jk(0 + ft, x) equals the value of term a = Y^x, for ft E [\_4>\ , — 1], or of term 
a = X h x, for ft E [0, \<j>~\]- Then, the value of 0^(0 + ft, x) is a(0), and similarly 0},(k + ft, x) is 
a(k) (see \ArithConstraints\k in Section|4]). Observe that constants are implicitly included in the 
model. For instance, if 5 € const(4>) and x E V we have the following formulae f x ,b{j, ft, m) 
cr fc (j + ft, x) < 5 and / 5)X (i, ft, to) ^> 5 < 07. (j + m, x). 

Predicates F are encoded by uninterpreted predicates F xy : N 4 — > {trite, false} for all 
pairs of variables x, y G V U const ((/>). Consistency of predicate F is then enforced by formula 
I C onsistency Constraints \ k '■ 



i E [l,k] 


mE 


J 


Fx,y{j, ft, i 
Fx t y{j, ft, i 


m) ^ F x ^ y (j + 
m) ^ F x . y (j - 


1, ft — 1, i, to) 
1, ft + 1, i, m) 


hE m + 

hE -i] 


[0,i-l] 



and 



je[o,fe-i] 


fte [L^J.^l] 


i 


F x ,y{j, ft, £5 
Fx,y(j, ft, 2, 


m) ft,« - 
m) & F x ^ y (j, h,i- 


-l,m- 
- 1, m - 


-1) 
-1) 


to g [|>J + 1, \4>]] 
tog -1] 


i G [j, k - 1] 
t G [?' + l,fc]. 



Formulae defining F are encoded as follows: 



F XtV (j,h,i,m) ^ < 



V V /*,*0'>M) A^, v (i,«,i,m)V 
V V fx,z(j,h,u) A F ZyV (j,u,i,m) 

Fx,y{j,h,i,m) Y Y fx,z(j,h,u) A F Z: y(j,u,i,m) 

for all j, i G [0, fc] with j < i and for all ft, to G , [0]] such that j + ft < i+m, i+m— (J+h) > 
- L^J + ft = L^J , (x = z) ^ (ft 7^ u) and for all pair x, y G FUconst(^). When j = i E [0, fc] 
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and h < m, with h, rn G [[4>\, \<f\]'- 

Fx, y (j,h,j, m) o fx, v (j,h,m) 
F x , y (j,h,j,m) ^ f x , y (j,h,m) 

When j + h > i + m then: 

F x<y (j,h,i,m) 
F Xty (j,h,i,m) <=>_L 

Figure 15] how predicate F x ^ x (i, 1) is defined as conjunction of local relation f x<y (i, 0, 1) and 

F y , x (i^l,j, 1). 



F XtX (i,l,j,l) 




/i,j(i,0, 1) 




Fig. 2. Definition of F by local relations /. 

Predicates capturing the definitions of backward loops are defined similarly (see Appendix |9.4| 
for further details). 

We introduce the following abbreviations, which capture infinite forward (backward) paths that 
form a cycle at positions loop — 1 and k. 

LF x (h) := F x x (loop - 1, h, k, h) 

LF x (h) := F x x (loop - 1, h, k, h) 

for all x € V and h E [ [</>J , \<f\ ) . By definition of backward paths, abbreviations LB and LB are 
instead defined between positions k back to loop — 1: 

LB x (h) := B x<x (k,h,loop- l,h) 

L~B x (h) := B XyX (k,h,loop- l,h) 

Finally, our condition is encoded by the following QF-EU2? formula. The condition is expressed 
with reference to a pair of elements x,x' E V U const(ip), hence it is parametric with respect to 
them. The condition is meaningful only if x ^ x' and if either x ^ const(cf>) or x' ^ const((j>). In 
fact, a constant value never generates a strict (forward or backward) path; therefore, two constants 
can not satisfy the condition of non-existence of an arithmetical model. Also, forp = (x, loop—1, h) 
it cannot be LF(p) f\LB(p) nor LF(p) ALB(p). The formula C x , x > (i) below captures the existence 
in p(i) of a strict relation < between two points, one of a forward and one of backward path, which 
involve variables x and x': 

( F x y (loop — 1, h, i, n) A F y ^ x (i, n, k, h)A \ 
T* ty ,(ti,i,n')A 
(fy tV >(i,n,n') V b yty '(i,n,n')) 
V 



C x>x '(i) := \f 3h,h',n,n 

y,y' £VUconst(<p) 



Bx.yih n i loop — 1, ft.) A B y _ x (k, ft, z, n)A 
T^ y ,(h',i,n')A 
V (fy',y(hn',n)Vby' >y (i,n',n)) J 
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where h, hf, n, n' 6 [[<f)\ , [0]]. Predicates T F and T B are essentially shorthands defined as follows: 

B Xi y(k,h,i,n) A B y , x {i,n,loop - l,h) 



T x B Jh,i,n) & 



B x ^ y (k, h, i, n) A B VyX {i, n, loop — 1, h) 
F xy {loop - 1, h, i, n) A F ViX (i, n, k, h) 



Tl v {h,i,n) 



F x y (loop — 1, h, i, n) A F yx {i, n, k, h). 
The existence condition of an arithmetical model is captured by the formula: 

f\ Mi {loop -l<i<k^ ^C x , x , (i)) (7) 

x, x' aV VJ const(<f>) 
x ^ x' ,x ^ const((j>) V x' (f: const(<f>) 

The universal quantifier ranges over a finite domain: the set of time positions from loop — 1 and 
k. Therefore, formula[7]is actually a QF-EU(N, <) formula because quantifiers can be represented 
by conjunctions, since they range over finite sets of elements. However, we can devise a simpler 
condition than the previous one, which avoids using the universal quantifier over time positions i. 
In fact, as mentioned in Remark 5.15 it can be shown that, given a pair x, x', there is a position 
i 6 [loop — 1, k] such that C XyX >{i) if and only if for all i 6 [loop — 1, k] it is C x , x >(i). In other 
words, we have that for all i € [loop — 1, fc] it is ^C^'^) if and only if there is at least one 
i G [Zoop — 1, k] such that ~^C X . X > (i). Then, for each pair x, x' we introduce an arithmetic term i xx ', 
and we build the following QF-EU(N, <) constraint: 

y\ {loop — 1 < i xa; ' < k) A -^C XyX '{i XX '). (8) 

ie, a;' £ V U const((j)) 
x ^ x' ,x £ const{<f>) Vi' ^ const(4>) 

Both formulae |7| and |8]l are quantifier-free, but formula |8]l avoids also the explicit finite quan- 
tification over position i; also, it allows to exploit the features of satisfiability solvers: when <j8j is 
solved, for each pair x, x', the solver looks for a value to assign to i xx '\ if it cannot find any, then 
the formula is unsatisfiable, and no arithmetic models exist. 

Finally, given a CLTLB(IPC*) formula cf>, we feed the solver the following QF-EU(IPC*) for- 
mula: 

MfcA®. (9) 

If QF-EUF formula |9]l is unsatisfiable, then either <j> does not admit symbolic models, or none of its 
symbolic models admit arithmetic models. Conversely, if QF-EUF formula |9]) is satisfiable, then 
there is a symbolic model p of <fi for which condition ([8} holds, hence p admits an arithmetic model 
and cf> is satisfiable. 

Figure[3]shows an example of a model satisfying our non existence condition C XjX i {i). 
5.2. Complexity 

In this section we provide an estimation of the size of the formulae constituting the encoding of 
Section|4] including, where they are needed, the constraints of Section [BTT] 

The encoding of Section [4] is linear in the size of the formula <f> (and of the bound k). In fact, 
if m is the total number of subformulae and n is the total number of temporal operators U and R 
occurring in cj>, the QF-EU2? encoding requires n + 1 integer variables (one each for loop and the 
jrp's) and m unary predicates (one for each subformula in cl(<fi)). 



The total size of the formulae in Section 5.1 is polynomial in bound k, in the cardinality of the 



set of variables and constants, and in the size of symbolic valuations. In fact, the encoding of the 
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x 




Fig. 3. Model satisfying the non existence condition C x ^ x i (i). 

condition for the existence of an arithmetical model requires a QF-EU(N, <, =) formula of size 
quadratic in the length k and in the number |V| of variables, but double quadratic in the size of 
symbolic valuations. 

Let A be the size A = \<f\ + [4>\ + 1 of symbolic valuations and V be the set V U const{4>). 
The total number of non-trivial predicates f XiV , f XtV (resp. f XtV , f x . y ), i.e., those where h < m, is 
defined by the following parametric formula: 

A 

N(a, b) = (k + 1) ^ \a\ ■ ((A - i) + (\b\ - 1) • (A - % + 1)) = 

i=l 

(fc + 1) (|a||6| A(A f 1) -|a|A). 

Each predicate has fixed dimension and the number of non-trivial ones results from the sum of the 
following three cases: 

— x,ye V, whichis7V(|y|,|y|) 

— x € V, y € const(cj)), which is iV(|V|, \const(<j>)\) 

— x e const(cf)), y e V, which is N(\const((j))\, \V\). 

that is bounded by N local = JV(|V'|, |V'|) < (k + 1)\V \ 2 \ 2 . 

In order to compute the size of formulae F, F (resp. B, B) we first determine the number of pairs 
of points for which F XvV (j, h, i, m) is not trivially false. The following function N PtP i 

n p , p . = \v>\ x: \v\{k+\4 > }- l ) = \vr ]r » = i^ r fc+A 2 1)(fc+A) <i^i 2 (fc+A) 2 

corresponds to the number of pairs of points p, p' that generate non-trivial predicates F, F (resp. B, 
B) because their position is such that sv(pi) + shift(px) < sv(p 2 ) + shift^) (resp. sv(pi) + 
shift(pi) > sv(p2) + shift(p2))- We compute the size of (non-trivial) formulae F, F (and B, B) 
by counting the number of subformulae involved in their definition. We consider only the case for 
F because the others have the same (worst) complexity. Each formula F involves, in the worst case 
(i.e., for points that do not belong to the same symbolic valuation), \V\ — 1 variables z e V with 
respect to A different positions u. Then, an instance of F requires at most (\V\ — 1)A disjuncts. The 
upper bound for the total size of all formulae defining predicates F, F (resp. B, B) is 

Nf a r = N PiP ,2(\V\ - 1)A < X\V\\V'\ 2 (k + A) 2 < X\V \ 3 (k + A) 2 . 

The analysis of formulae \ConsistencyConstraints\k shows that each point belongs to A sym- 
bolic valuations (e.g., if = 0, [^J = 1, then A = 2, and points (x, 4, 1) and (x, 5, 0) correspond 
to the same element), and for all pairs pi , p 2 we define consistency among the A points correspond- 
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ing to pi and the A points corresponding to p^. Therefore, we need at most 

N cc = \*\Vf ( fc + A ~ 1 )( fc + A ) < X 2 \V'\ 2 {k + A) 5 



constraints \ConsistencyConstraints\k, where each formula is of fixed dimension. 

Finally, predicate C x>x i (i) appears in formula ([8]) once for each | V'\ \V\X 2 pairs of points x, x'. In 
addition, each instance of C XtX t{i) has (| V'| A) 2 disjuncts, one for each possible pf,pb of formulap] 
Index i instead is a free variable in ([8]) and we do not need to consider it in the size of the formula! 
Therefore, the total size of formulae C x>x >(i) in ((8) is N c = |V||1/'| 3 A 4 . 

Finally, the complete set of formulae that we require to capture the existence condition of arith- 
metical models over discrete domains has the following total size: 

±N local + AN far + 2N CC + N C < 

4(fc + l)\V'\ 2 \ 2 + 4A|y'| 3 (A: + A) 2 + 2X 2 \V'\ 2 (k + A) 2 + \V\\V | 3 A 4 . 

5.3. Simplifying the existence condition 

In this section, we relax the condition of the existence of an arithmetical model a for sequences of 
symbolic valuations. First of all, we introduce an alternative condition for the existence of arithmetic 
models defined in [De mri and D'Souza 2007[ . Before providing the definition, we introduce the 
notion of order of a path in the graph representing symbolic models. Let us consider t he gr aph 
G p associated with a sequence of symbolic valuations p £ SV(4>) presented in Section 2.4 We 



consider directed paths in G p whose arcs are labeled with < or < relations. We define order o{u) 
of a directed path u between two points a = (x, i) and b — (y,j) in G p the number of olabeled 
edges occurring in u. The order o(a, b) between two points is the supremum of the set {o(u) : 
u is a directed path from a to b}. 

Lemma 5.17 (Lemma 6.1 in ]Demri and D'Souza 20Q7Q ). Let p be a locally consistent 
sequence of symbolic valuations from SV((f>). Then, there exists a model a such that a, |= <f> if, 
and only if, the order o{u 1 v) of any pair of points u, v in G p is finite. 

Lemma |5.17| combined with the definition of symbolic valuations as maximally consistent sets of 
2?-constraints, produces a condition for the existence of arithmetic models that is in fact too strong 
for our needs. Consider for example the following formula 

G(x < XxA^{y < Xy)) (10) 

which enforces strict increasing monotonicity for variable x and decreasing monotonicity for vari- 
able y. Figure |4] shows a symbolic model for formula (JTOf which does not admit arithmetic model, 
as o((x, 0), (y, 0)) = oo. However, in ( fTO) x and y are not compared, neither directly, nor indi- 



y 



o 



Fig. 4. Symbolic model for formula \10\ . 



rectly, so if we disregard the relations between them in the symbolic model of Figure|4] and produce 
an assignment of the variables that only respects the relations between variables that are actually 
compared in the formula (i.e., x with itself, and y with itself) we obtain an arithmetic model for 
(jTOjl. Figure [5] shows a "weaker" version of the symbolic model of Figure|4] one that only includes 
relations between variables compared in the formula. This weaker version of the symbolic model 
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Fig. 5. A weak symbolic model for formula (10) . 

requires less formulae to be included in the QF-EU(2?) encoding than the maximally consistent one, 
as it does not contain any comparison between unrelated terms, hence it is more concise. 

To characterize sequences of symbolic valuations which do not take into account relations among 
variables that are not compared with each other in a formula (ft, we first remark that (ft induces a 
finite partition {Vi, . . . , Vh} of set V such that x, y G Vi if and only if there is a 2?-constraint 
R(X l x, X>y) occurring in <f>, for some i, j € Z. Then, we introduce the notions of weak symbolic 
valuation and of sequence of weak symbolic valuations and we draw a relation with their standard 
definitions. 

Given a symbolic valuation sv € SV(4>), its weak version sv is obtained by removing from sv 
all relations R(X l x, X^y) such that x G V/ and y £ V t implies I ^ t. We indicate with SV w (<j)) the 
set of all weak symbolic valuations. Given a CLTLB(2?) formula (ft, its weak symbolic model p is a 
sequence in SV w ((ft) u of weak symbolic valuations such that p, (= <f>. The following proposition 
shows that weak symbolic models are enough to solve satisfiability problems, since they embed 
only information among related variables, i.e., those belonging to the same class Vi C V. 

PROPOSITION 5.18. Let (ft be a CLTLB(T>) formula, p € SV((ft) u , p its weak version and a a 
sequence ofT> -valuations. Then, 

p, (= (ft and a, |= p 43> p, (= (ft and a, |= p. 

Proof. First of all, it is straightforward to show that, if v' is an assignment to terms (see Section 
2.4 1, then, v' \=t> f(sv) entails v' |=p f(sv). Moreover, if v' \=x> f(sv) then there exists a 
symbolic valuation sv', such that sv' — s~v and v' \=-p f(sv'). 

Then, let {Vi, . . . , Vh} be the partition of set V. 

The first side is immediate because all symbolic valuations in p contain relations between terms 
whose variables are not related in (ft. In particular, the symbolic valuations in p involve 2?-constraints 
between variables belonging to different partitions of V. Therefore, from the considerations above, 
the weak version p of p is still such that a. (= p. Moreover, p, [== (ft follows from the definition of 
[== with respect to atomic formulae R(a%, . . . , a n ). In fact, for all i and R(pt\, . . . , a n ) occurring 
in (ft, if p, i [== R(a>i, . . . , a n ) then p, i (= R(a±, . . . , a n ). 

Conversely, suppose we have p, (= (ft and a, \— p. Then, from a one can deduce from Lemma 
5.3 a unique sequence of symbolic valuations v, by iterating the result for increasing values of k. 
Then, we immediately obtain that a, \= v. As discussed in the first part of the proof, v is a symbolic 
model for formula (ft. In fact, we observe that the weak version v of v is exactly p, because both are 
such that cr, |= p and a, |= v (for each position they must exhibit the same relation of (ft between 
two (or more) terms). Moreover, we have that u, |== (ft because, for all i and R(a\, . . . , a n ) 
occurring in (ft, if v, i |== R(ax, ■ ■ ■ , a n ), then v, i [== R(ctx, ■ ■ ■ , a n ). In other words, additional 
relations in symbolic valuations occurring in v (but not in (ft) do not affect the truth values of the 
relations occurring in (ft. □ 



For this reason, we can use the partition of V to refine Lemma 5.17 Let {Vi, . . . , Vh} be a 
partition of V derived from (ft. Let p be a locally consistent sequence of symbolic valuations from 
SV W ((ft). We say that two points u = (x, i) and v = (y,j) S G p are homogeneous when x, y E Vi, 
with I E [1, h). 



ACM Transactions on Computational Logic, Vol. V, No. N, Article A, Publication date: January YYYY. 



Constraint LTL Satisfiability Checking without Automata A:31 

COROLLARY 5.19. Let {Vi, . . . , Vh} be a partition of V derived from <f>. Let p be a locally 
consistent sequence of weak symbolic valuations from SV w ((j>). Then, there exists a model a such 
that a, |= <f> if and only if the order o(u, v) of any pair of homogeneous points u, v in Gp is finite. 

Proof. The result follows from Proposition |5. 18| because weak symbolic models p, and conse- 
quently their graph Gp, relate only points whose variables are homogeneous. □ 

6. COMPLETENESS 

Completeness has been studied in depth for Bounded Model Checking. Given a state-transition 
system M, a temporal logic property <p and a bound fc > 0, BMC looks for a witness of length k for 
-i(j>. If no witness exists then length k may be increased and BMC may be reapplied. In principle, the 
process terminates when a witness is found or when k reaches a value, the completeness threshold 
(see Definition |3.1| l, which guarantees that if no counterexample has been found so far, then no 
counterexample disproving property cj> exists in the model. For LTL it is shown that a completeness 
threshold always exists; IClarke et al. 2004| shows a procedure to estimate an over-approximation 
of the value, by satisfying a formula representing the existence of an accepting run of the product 
autom aton M x B-^, whe re is the Biichi automaton for -^<p and M is the system to be verified. 
In | Bersani et al. 201 1) we have already given a positive answer to the problem of whether there 



exists a completeness threshold for the satisfiability problem for CLTLB(2?), provided that V satis- 
fies suitable conditions, informally summarized here: 

— ultimately periodic symbolic models of the form a/3 w of CLTLB(2?) formulae admit an arithmetic 
model and 

— the length k characterizing the fc-satisfiability tests to be checked is bounded with respect to the 
size of the formula. 

The previous two assumptions hold when the constraint system T> defining atomic formulae has 



the completion property (see Section 2.4.1 1 or when condition C holds (see Proposition 2.8 I. In 



these cases, if a CLTLB(P) formula <fi is satisfiable, then all ultimately p eriodic symbolic mo dels 



p, such that p \= <f>, admit an arithmetic model a such that a |= p. In [Bersani et al. 2011 1 we 



used an automata- and logic-based approach to show how completeness can be achieved for the 



satisfiability problem, where automata Ac and Ae are still explicitly constructed (see Section 2.4 
for details on Ac and At). In that work the CLTLB(P) representations 0_4 C and <\>j lLt of automata 
are used, along with the original formula </>, to solve the satisfiability for </>, which is reduced to a 
finite amount of fc-satisfiability problems of formula <j>' for increasing values of k. Formula </>' is de- 
fined as the conjunction of the original formula <f> with formula <p^ c representing runs of automaton 
Ac and formula <p^ e representing runs of Ae- Sequences of locally consistent symbolic valuations 
recognized by the automaton Ae are, in fact, models of the formula := G(V™ svi). Since 
the bounded representation of formulae (see Section [4 1 is not contradictory (i.e., two consecutive 
symbolic valuations are satisfiable when they are local y consistent), the previous formula exactly 
represents words of automaton Jz? (Ae). Formula <f)^ c is derived from automaton Ac, by means of 
the tr anslation in HSistTa~ and Clark e 1985[ . Automaton Ac is built by complementing automaton 
A^c flSafra 1988[, recognizing the complement language of Jzf(Ac), which is obtained according 



to the procedure proposed in |Demri and D'Souza 2007 1. Finally, to check the satisfiability of <j> we 



verify whether formula (f> A §a c A 4>j\ e is fc-satisfiable with fc e N. In order to be complete, 
fc-satisfiability has to be checked at most a finite number of times. The existence of a finite com- 
pleteness threshold is a consequence of the existence of automaton As (see Section|2.4b recognizing 



symbolic models of <f> and lemmata 2.7 and 2.5 In fact, let rd(A ( f > ) be the recurrence diameter of 
A^. Then, if formula <f> A (f>j^ c A <p^ e is not fc-satisfiable for all fc e [1, rd(A t j } ) + 1], then there is no 
ultimately periodic symbolic model p such that both p, (= cj) and there exists an arithmetic model 
a with <t, \= p. Hence, formula tf> is unsatisfiable. Otherwise, we have found an ultimately peri- 
odic symbolic model p of length fc > which admits an arithmetic model a. From the fc-bounded 
solution, we have a symbolic model p = ctfi^ (or aSV((f)) u ) and its bounded arithmetic model <7fc. 
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The infinite model a is defined from by iterating infinitely many times the sequence of symbolic 
valuations in j3. Therefore, the completeness bound for BSP of CLTLB(2?) formulae is defined by 
the recurrence diameter of As- 

Thanks to the results of the previous sections, we can simplify the method presented in |Bersani 



et al. 201T) . We avoid the construction of automaton A^c through Safra's method and the con- 

~7of 



struction of set SV{<p). In particular, we take advantage of the definition of /c-bounded models of < 
In fact, by Lemma [53] a a finite sequence 07. of 25-valuations induces a unique locally consistent 
sequence of symbolic valuations p, such that 07., i (= p(i), for all i g [0, k]. Therefore, formula 
4>A t is no longer needed in order to obtain a finite locally consistent sequence of symbolic valu- 
ations. If <j> is a formula of CLTLB(2?) and T> has the completion property, we can simply solve 
^-satisfiability problems for <p and not for <fi A fa. When T> does not have th e co mpl etion property, 
formula (|6]l allows us to avoid the construction of Ac- In fact, by theorems 5.8 and |5.11| if \4>\k is 
satisfiable then there is an ultimately periodic run aj3 u whi ch is r ecognized by automaton A s X At. 
In case of constraint systems without completion, Theorem 5.16 guarantees that if \<j>\k is satisfiable 
and formula (|6]l does not hold, then <f> is satisfiable. Therefore, model obtained by solving the 
^-satisfiability problem belongs to the language recognized by automaton A s x At and also to the 
one of Ac- 

The completeness property still holds without the explicit representation of automata At and Ac 
in the formula we check for satisfiability; the completeness threshold is the recurrence diameter of 
Ac/,. However, since we do not require As to be actually built, the completeness threshold can be 
over-approximated as being exponential in the size of the formula: the number of control states of 
As is (9(2^1). We can consider a rough estimation for the completeness threshold defined by the 
value \Ac\ • \SV{<j))\ ■ 2^1. The number of symbolic valuations |SV(</>)| is exponential in the size 
of formula cj>. In case of constraint systems (D, <, =) with completion \Ac\ = 1. When T> is IPC* 
control states of Ac are defined by tuples of the form (a, i, b, j, d, h) where a, b g V, i, j £ [0, A], 
with A = [01 - [(f>\ + l,d,h£ {0, 1}. Then, \A C \ = 4|^| 2 |A| 2 . 



7. RELATED WORK 

Schiile and Schneider [Schiile and Sch neider 2007 1 provide a general algorithm to decide bounded 
LTL(i) model-checking problems of infinite state systems where L is a general underlying logic. 
An LTL(L) formula <f> is translated into an equivalent Buchi automaton As which is symbolically 
represented by means of a structure defining its transition relation and acceptance condition. Then, 
the LTL(L) model-checking problem is reduced to the /i-calculus model-checking problem mod- 
ulo L, i.e., a verification of a fixpoint problem for a given Kripke structure with respect to symbolic 
representations of As and the underlying language L. Whenever properties are neither proved nor 
disproved over finite computations, their truth value can not be defined. For this reason, the au- 
thors adopt a three-valued logic to evaluate formulae whose components may have undefined value. 
Bounded model-checking is performed essentially by computing approximate fixpoint sets of the 
desired formula and by checking whether the initial condition is a subset of such set of states. The 
work of [Schiil e"and Schneider 2007") is based on previous results presented in [Schiile and Schnel^| 
der 2004], which defines a hierarchy of Buchi automata (and, therefore, temporal formulae) for 
which infinite state b ounded model-checking is complete. The specification language of [Schiile 
and Schneider 2004 1 is the quantifier-free fragment of Presburger LTL, LTL(PA), with past-time 
temporal modalities. The bounded model-checking problem is defined with respect to Kripke struc- 
tures (5, /, R) and it is solved by means of a reduction to the satisfiability of Presburger formulae. 
In general, acceptance conditions of Buchi automata, requiring that some states are visited infinitely 
often, can not be handled immediately by bounded approaches which do not consider ultimately pe- 
riodic models used, for instance, in the bounded model-checking approach of Biere et al. [Biere et aL] 
1999| or in the encoding of Buchi automata of deMoura et al. [de Mou ra et al. 2002[ . Therefore, 
Schiile and Schneider follow a different approach, tailored to bounded verification, and focus on 
the analysis of some classes of LTL formulae, denoted TLp and TLq, such that the corresponding 
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Biichi automaton has a simpler accepting condition which does not involve infinite computations. 
TLf and TLq are the sets of LTL formulae such that each occurrence of a weak/strong temporal 
operator is negative/positive and positive/negative, respectively. LTL formulae are then represented 



symbolically by an automaton which is built using the method proposed by Clarke et al. in |Clarke 
et al. 1994| rather than using the Vardi-Wolper construction [ Vardi and Wolper 1986) . 



Reducing the model-checking problem to Presburger satisfiability is a rather standard approach 
when dealing with infinite-state systems. Demri et al. in |Demri et al. 2010) show how to solve the 



LTL (PA) model-checking problem for the class of admissible counter systems, which are finite 
state automata endowed with variables over Z whose transitions are labeled by Presburger formu- 



lae. In | Demri et al. 2010 1 the authors study the decidability of the model-checking problem for 



admissible counter systems with respect to the first-order CTL* language over Presburger formulae. 

Hodkinson et al. study decidable fragments of first-order temporal logic in [Hodk inson et al.| 
2000 1 . Although some axiomatizations of first-order temporal logic are known, various incomplete- 
ness results induce the authors to study useful fragments with expressiveness between that of prepo- 
sitional and of first-order temporal logic. Hodkinson et al. are interested in studying the satisfiability 
problem and they do not consider the model-checking problem, which requires a formalism defining 
the interpretation of first-order variables over time. In other words, variables do not vary over time 
and their temporal behavior is not relevant. The languages investigated by the authors are obtained 
by restricting both the first-order part and the temporal part. 

Bultan et al. present a symbolic model checker for analyzing programs with unbounded integer 
domains [Bulta netal. 1999[ . Programs are defined by an event-action language where atomic events 
are expressed by Presburger formulae over programs variables V . Semantics of programs is defined 
in terms of infinite transition systems where the states are determined by the values of variables. The 
specification language is a CTL-like temporal logic enriched with Presburger-definable constraints 
over V. Solving the CTL model-checking problem involves the computation of least fixpoints over 
sets of programs states: the abstract interpretation of Cousot and Cousot [Cousot a nd Cousot 1977| 
provides a method to compute approximation of fixpoints. Model-checking is done conservatively: 
the approximation technique admits false negatives, i.e., the solver may indicate that a property 
does not hold when it actually does. Programs are analyzed symbolically by means of symbolic 
execution techniques and they are represented by means of Presburger-definable transition systems 
where Presburger formulae represent symbolically the transition relation and the set of program 
states. Then, the state space is partitioned in order to reduce the complexity of verification and to 
obtain decidability for some classes of temporal properties, such as reachability ones. Experimental 
results, based on the standard Bakery algorithm and the Ticket mutual-exclusion algorithm, show 
the effectiveness of the method when verification involves a mutual exclusion requirement. 

8. CONCLUDING REMARKS 

The decision procedure described in this paper has been implemented in our bounded satisfiability 
checker Zot, which can be found at |http : //zot . googlecode . com| The ae 2 Zot plug-in of Zot 
solves fc-satisfiability for CLTLB over Quantifier-Free Presburger arithmetic (QFP), of which IPC* 
is a fragment, but it also supports the constraint system (K, <, =)■ Even if constraint systems like 
IPC*, or fragments thereof, do not provide counting mechanism (provided, for instance, through 
the addition of functions like + in QFP), they can still be used to represent an abstraction of a 
richer transition system. In fact, functions like addition, or in general relations over counters which 



embed a counting mechanism, make the satisfiability problem of CLTLB undecidable (see [Demri 
land D'Souza 20071 Section 9.3]). 

To conclude this paper, we provide two examples of use of the CLTLB(IPC*) logic to specify and 
verify systems behavior, which highlight the applicability of our approach. 

As a first example, we show how CLTLB over (D, <, =) can be used to specify a sorting process 
of a sequence of fixed length N of values in D. Let v £ D N be the (initial) vector that we want to 
sort and a £ D N be the vector during each step of sorting. We write v(z) for the i-th component 
of v, 1 < i < N. Notice that we will use the notation a(i), which, strictly speaking, is not a 



ACM Transactions on Computational Logic, Vol. V, No. N, Article A, Publication date: January YYYY. 



A:34 



Marcello M. Bersani et al. 



CLTLB term; however, since the length of the array is fixed, we can use N variables eij to represent 
the elements of a, one for each a(i). Then, in the following, if a(i) is replaced with a,, one obtains 
CLTLB(Z), <, =) formulae. We define a set of formulae representing a sorting process which swaps 
unsorted pairs of values at some nondeterministic position in the vector (we focus only on the most 
relevant ones). A variable p £ [0, N — 1] stores the position of elements which are a candidate 
pair for swapping; i.e., p = i means that element a(i) is swapped with element a(i + 1), while 
p = means that no elements are swapped (0 is not a position of the vector). A nondeterministic 
algorithm can swap arbitrarily two elements in [1, N]; then, the only constraint on variable p is that 
it is < p < N, i.e.: G(p < N A p > 0). An unsorted pair of values is indexed by a nonzero value 
of p: 

G f\ p = i=> a(i) > a(i + 1) 

\i£[l,JV-l] 

A swap between two adjacent positions of a is formalized by the following formula: 

: i =s> Xa(i) = a(i + 1) A Xa(i + 1) = a(i) 




Vector a is unchanged when no pairs are candidate for swapping: G(p = => Aiefl w]( a (*) = 
Xa(i))). Through the ae 2 Zot plugin of the Zot tool mentioned above we can then verify properties 
of the algorithm, e.g., whether there exists a way to sort array a within k steps (with k the verification 
bound), which is formalized by the following formula: 

(a(i)<a(i + l))A A V ( a «= v 0')) 

i£[l,N]j£[l,N] 




A CLTLB-based approach can also be used to verify properties of Timed Automata | Alur and 
|Dill 1994 ] over CLTLB specifications that directly express properties over clocks (following an 



approach similar to the one sketched in |Tripakis et al. 2005)). Informally, a timed automaton is a 



finite state automaton where transitions are labeled by atomic propositions belonging to a set AP 
(actions), and can have guards with conditions of the form x ~ c (where x is a clock, ceN and ~e 
{<,<,=,>, >}), and clock resets of the form x :— 0. Automated verification of Timed Automata 
is made possible considering a finite quotient of the state space of the transition system TS(ta) 
representing computations of a timed automaton ta. By defining a suitable equivalence relation 
over the set of states of TS(ta), we can define a corresponding region transition system RTS(ta) 
with a finite set of states. States of RTS(ta) (regions) are equivalence classes of states in TS(ta) 
satisfying the same atomic clock constraints; essentially, they are represented by conjunctions of 
atomic propositions and constraints over (N, <, =). Therefore, in our approach, RTS(ta) can be 
translated into a CLTLB formula defining the transition relation by means of formulae of the form: 
Sj => Xsj+i and <^> £ where £ is a IPC* formula defining the region associated with Sj. 
We plan to explore these (and other) applications of the use of CLTLB in future works. 
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9. APPENDIX 

9.1. Proof of Proposition [574] 

Proof. We show that for all i > 0, (%,a),i \= <f> r mode i(TT,a),i \= {r(<j>)A 
g (A"=i( x p 1 = 1) V (x Pi = 0))). It follows immediately (7r,<r),i |= 4> ^ r model {ir,(j),i |= 
r((p) and r mo ,je/(7r, c), i |= G(/\" =1 (x Pi = 1) V (x Pi — 0)). Hereafter, we write 9 instead of 
r model (?r, c)- 

First, we prove by induction the left subformula (tt, a), i |= <fr & 9, i \= r(<j)) for i > 0. The 
base case is given on propositional atoms. Since (n, cr),i \= pj pj G tt(i) and by definition 
of 9 = r mo dei{{^,cr)), we can conclude that 9(i,x Pj ) = 1. By definition 9, i \= (x Pj = 1) 
9(i, x Pj ) = 1; hence, 9, i \= r(pj). Moreover, because (tt, a), i \= R(ai, . . . , a n ) depends only on 
g and 9(j, x) — a(j, x) for all x e V and [(f>\ < j, then 9, i |= . . . , a„). 

Inductive step. 

— If (j> = -itp then (tt, cr),i \= <fi (7r,rx),i ^ ^. By inductive hypothesis, this is equivalent to 
9, i y= r(ifj), i.e. 6>, z |= r(<j>), as r(cf)) — -^r(if)). 

— If (f) = ipi A then (7r, ct), i |= (7r, <t), i |= tpi and (7r, <t), « |= ip2- By inductive hypothesis, 
this is equivalent to 9, i |= r(V'i) and 0, i |= r(ip 2 ), i.e. 0, i |= A r(^ 2 ), and 9,i\= r((f>). 

— If (f> — X-0 then (n, a), i |= <^> (tt, a), i + 1 |= ip. By inductive hypothesis, this is equivalent to 
6*, i + 1 |= r(?/>), i.e., 6*, i |= Xr(-0), which corresponds to 9, i \— r(<fi). 

— If <j) — Yip then (tt, a), i \= cp (tt, a), i — 1 \= ip and i > 0. By inductive hypothesis, this is the 
same as 9, i — 1 |= r(^) and i > 0, i.e., 9, i \= Yr(ip), and 9, i |= r(</>), as r(cf>) — Yr(ip). 

— If <p = then (n,a),i |= </> there exists j > i s.t. (TT,a),j \= ijj 2 and (tt , a) , n |= 

foralH < n < j, that is, by inductive hypothesis, there exists j > i&X.9,j \= 
r(ip2) and 0, n \= r(ipi) forall i < n < j, which in turn is equivalent to 9, i |= r(ijji)XJr(ip2) 
and 9, i |= r(0). 

— If (f> — ipxS^ then (n,a),i \= <f> there exists < j < i s.t. (7r,<7), j |= ^ 2 an d ( 7T , f ^), n \= 
ipi forall j < n < i, that is, by inductive hypothesis there exists < j < is.t.9,j \= 
r(ip2) and 9, n \= r(ipi) forall j < n < i, which is equivalent to 6>,i |= r(i/'i)Sr(-)/)2) and 
(7r,cr),i |= r(^). 

Finally, we prove the first part (tt, a), |= (j) 6, |= by taking i = 0. 

Let us prove by induction the second part (tt, a), i \= <\> ^> 9,i \= G(/\" =1 (x Pi = l)V(x Pi = 0)), 
for i > 0. The base case is 9, i (= A"=i ( x Pi = 1) V (x Pi — 0) which holds for all i > by definition 
of r mo dei(K, <t). The inductive hypothesis applies on formula G(/\" =1 x Pi — 1) V (x Pi = 0) at 
generic position i for all i > 0. 9, i \= /\" =1 (x Pi = 1) V (x Pi — 0) A XG(/\" =1 (i Pi = 1) V (x Pi = 
0)) is equivalent to 9, i \= (^ =l (x Pi = 1) V (x Pi = 0)) and 9, i (= XG(/\" =1 (a; Pj = 1) V (x Pl = 

0) ). The first conjunct follows from the base case. The second formula 9,i \= XG(/\" =1 (x Pi = 

1) V(x Pi = 0)) is equivalent to 9, i+ 1 H G(/\" =1 (x Pi = l)V(x Pi = 0)) which holds by inductive 
hypothesis. Therefore, by taking i — we conclude that 9, |= G(/\" =1 (x Pi — 1) V (x Pi = 0)). □ 

9.2. Proof of Proposition |575| 

PROOF. Let s = [4>\. We show that for all « > 0, a, i \— <fi a, i + s |= p(<j>) by induction on 
the structure of the formula </>. 

The base case of the induction is given on the atomic formulae cf) = R(a± . . . a„). Since a, i \=x> 
4> R((i(i + \ai\, x ai ), . . . , <r(i + \a n \, x an )), by shifting the instant i of s the satisfaction relation 
is a, i \=x> 4> ^ R((j(i + s + \ai\ — s, x ai ), . . . ,a(i + s+\a n \ — s, x an )). Then, we can equivalently 
write a, i \—x> 4> & R(u(i + s + \p(a\)\, x ai ), . . . , a(i + s + \p(a n )\, x a „)) that is cr, i + s |= 
R(p(a\), . . . ,p(a n )) and a,i + s \= p(R(a\, . . . , a n )). In fact, if a = X'x then p(a) — X i_s a; 
and \p(ct)\ = \a\ — s. If a = Y l x then p(a) = Y l+S x and \p(a)\ = — (i + s) — \a\ — s, since 
\a\ = —i. 
Inductive step. 



ACM Transactions on Computational Logic, Vol. V, No. N, Article A, Publication date: January YYYY. 



Constraint LTL Satisfiability Checking without Automata 



A:37 



— If 4> = then cr, i \= <fi cr, i ^= ip. By inductive hypothesis, this is equivalent to a,i + s \^ 
p(ip), i-e. cr, i + s \= p{4>), as p(4>) = -^p(ip)- 

— If 4> = ipx A ip2 then a,i \= <f> cr, i \= tpi and a, i \— -02- By inductive hypothesis, this 
is equivalent to a,i + s \= p(t/Ji) and cr.i + s \= p(ijj2), i-e- cr,i + s \= p(tpi) A p(ip2), and 
a,i + s \=p((j>). 

— If <fi — X0 then cr, i \= <j) a, i + 1 \= ip. By inductive hypothesis, this is equivalent to 
cr, i + 1 + s |= p(V0> i- e -> o", £ + s |= Xp(0), which corresponds to cr, £ + s \= p(<fi). 

— If <fi — Ytp then a, i \= <fi a,i— 1 |= -0- By inductive hypothesis, this is the same as cr, i—l+s \= 
p{ip), i.e., a,i + s |= Yp(ip), and cr, i + s |= p(0), as p((f>) = Yp(^). 

— If (j> = f/;iU-02 then <r,i \= <fi iff there exists j > i s.t. cr, j |= tp 2 and cr, n |= ipi forall i < n < j, 
that is, by inductive hypothesis, cr, j + s \= p(ip2) and cr, n |= p(V'i) forall i + s<n<j + s, 
which in turn is equivalent to cr, i + s |= p(-0 1 )Up(-02) and cr, z + s |= p(<j>). 

— If (f) = ipi S"02 then cr, i \= <j) iff there exists < j < i s.t. cr, j |= 2 and cr, n 1=01 forall j < 
n < i, that is, by inductive hypothesis cr, j+s \= p(ip2) and cr, n \= p(ipi) forall j'+s < n < i+s, 
which is equivalent to cr, i + s \= p(t[j 1 )Sp(-ip 2 ) and a, i + s \= p{4>). 



Finally, a, |= <f> a, s |= p(4>) by taking i = 0. □ 



9.3. Proof of Corollary [5/7] 

Proof. It is easy to see that relation |=== is not affected by rewriting p. In fact, for atomic 
formulae . . . , a n ) we have that p,i\ == R(o-i, ■ ■ . , ct n ) if, and only if, p(p),i\ == 

p(i?(ai, . . . , a n )). Let us suppose that for all assignments v', we have v' \=x> and only if, 

v' \=t> f(R)- Then, since p is a rewriting of terms, the previous property is preserved provided that 
assignment / is replaced by a function /' : p(terms(cf))) — > A, where A is a set of fresh variables 
(see Section 2.4 1. Standard temporal madalities are handled as for |=. □ 



9.4. Complete encoding for checking A c 

Local strict forward path are encoded by predicate f xy : N 3 — > {true, false} for all pairs x, y £ 
V U const(4>) and / for local forward path. Similarly, predicate b x , y : N 3 — > {true, false} for all 
pairs x, y G V U const(4>) and b for local forward path. 



fx,y 




o< j 


< k and h < m 




< i < k and h > m 


fx,y(j,h,m) 
fx, y (j,h,m) 


fx,y 
fx,y 


CTfe(j 


+ h,x) < a k (j ■+ 
+ h,x) < a k (j 4 


-m,y) 
-m,y) 


fx,y ^-L 
fx,y ^"-L 



for all h.m £ [[4>\, [</>]]. When both x,y £ const{4>) then /^^ ^ x < y and /^^ ^ x <y for all 
< j < k and h < m; f x . y <=>_L and <^>_L for all < j < fc and h > m. 



b x ,y 




0<j 


< A; and h > rn 




< j < fc and h < m 


bx, v (j,h,m) 
bx, v (j,h,m) 


&x 7 y 


o"fc(i 

^> cr fe (j 


+ h,x) < a k (j 4 
4- < cr fe (j 4 


-to, 2/) 
-m,y) 


b x , y ^± 
b x , y ^-L 



for all h,m £ [|_0J , [0]]. When both x,y £ const{<f)) then & XiJ( x < y and ^ x < y for all 
< j < k and h > m; b XtV <=>_L and <=>_L for all < j < fc and h < m. 

Predicates F and F are encoded by uninterpreted predicates F xy : N 4 — > {frwe, false} and 
: N 4 — > {true, false} for all pairs of variables G V U const((f). Backward paths are 
encoded by means of uninterpreted predicates B xy : N 4 — > {true, false} and B x y : N 4 — > 
{true, false} for all pairs of variables x, y £ V U const((f>). We use the symbol P 6 {.F, B} in 
order to avoid repetition of similar formulae for predicate F and B: 
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i e [l,k] 


me [|4J,fal] 


i 




TO) P X .y{j + 

TO) & P X ,y(j - 


1, h — 1, i, m) 
l,h+l, i, to) 


/ie[L^J+i,r<Al] 
/»e[L^J,r^l-i] 


[0,*-l] 



and 



3 €[0,k- 1] 


fte[L0J,m] 


i 


-fx. y (jj ft) * 
-Pre. y (jj ftj * 


TO,) P x ,y(j, ft, » + 1) TO — 
TO) 4^ P x ,y(j, ft, 1 - 1, TO + 


1) 
1) 


me [L^J + i, r^l] 
me[W,W-i] 


i e [j, fc - 1] 



Formulae denning f 1 and F are encoded: 



F Xty (j,h,i,m) < 



u) A F ZiV (j,u,i,m)V 

zev u =y<t>\ 

V V fx,z(j,h,u) AF z , y (j,u,i,m) 
\ zev u =l<p\ 

W 

F x , y {j,h,i,m) o \J \f f x , z {j, ft, w) A F ZtV (j, u, i, to) 

for all j, ie [0, fc] with j < i and for all h,m E [[<p\, \<f\] such that j+ft < i+m, i+m — (j+m) > 
— [(f>} + \<f]> ft — L^J' (a; = ^) (ft 7^ u) and for all pair x, y e const((f>). When j = i € [0, fc] 
and ft < to, with h,m £ [[(f>\ , \4>]]: 

F x , y (j,h,j,m) f x , y (j,h,m) 

F x , y (j,h,j,m) o f x , y (j,h,m) 

When j + h > i + m then: 

F x , y {j,h,j, m) 
F x , y (j,h,j, m) 

V V b *,z(i>ft> u ) A Bz, y {j,u,i,m)V 
zev «=L0J 

[01 

V V i> x , z (j,h,u) AB ZtV (j,u,i,m) 
k zev u=l<p\ 

[01 

B x , y (j,h,i,m) \f \f b XtZ (j, h, u) A B ZyV (j, u, i, to) 

zeF u=[0J 

for all j, i S [0, fc] with j > i and for all h,m £ [[<l>\, \<f\] such that j + h > i + m, (j + to) — 
(i + m) > — L^J + [</»], ft = |_<AJ> {x = z) +> (h ^ u) and for all pair ije^U const(<fi). When 
j = i £ [0, fc] and h > m, with h,m £ ,["</>]]: 

B x , y {j,h,j,m) &b Xt y(j,h,m) 

B x , y {j,h,j,m) ob x . y (j,h,m) 



Formulae defining _B and S are: 



B xy (j,h,i,m) <^> < 
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When j + h < i + m then: 

Bx, y (j,h,j,m) <=>_L 
B x , y (j,h,j,m) 

Formulae capturing loops are: 

LF x {h) := F xx {loop - 1, h, k, h) 
LF x (h) := F xx (loop - 1, h, k, h) 
LB x (h) := B XyX (k,h,loop - l,h) 

LB x (h) := B x ^ x (k,h,loop- l,h) 

for all h,m e [|_0J, [0]]. 

Non existence condition is C(x, x' , i) as defined in Section 5.1 The existence condition of 
arithmetical model is captured by the formula: 

f\ (loop 

1 5: i xx ' 5: k) A — <C X:X ' {ixx'h (1 



a;' £ V U const(4>) 
x ^ x 1 ,x £ const{<f>) Vi' ^ const(4>) 
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